CVE-2021-39192, GHSA-j5c2-hm46-wp5c
npm/ghost
Improper Privilege Management
Ghost is a Node.js content management system. An error in the implementation of the limits service allows all authenticated users (including contributors) to view admin-level API keys via the integrations API endpoint, leading to a privilege escalation vulnerability. As a workaround, disable all non-Administrator accounts to prevent API access. It is highly recommended to regenerate all API keys after patching or applying the workaround.
All versions starting from 4.0.0 before 4.10.0
Upgrade to version 4.10.0 or above.
2021-09-13
source |