← Volver a CVEs
CVE-2023-40028
MEDIUM4.9
Descripcion
Ghost is an open source content management system. Versions prior to 5.59.1 are subject to a vulnerability which allows authenticated users to upload files that are symlinks. This can be exploited to perform an arbitrary file read of any file on the host operating system. Site administrators can check for exploitation of this issue by looking for unknown symlinks within Ghost's `content/` folder. Version 5.59.1 contains a fix for this issue. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Detalles CVE
Puntuacion CVSS v3.14.9
SeveridadMEDIUM
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosHIGH
Interaccion usuarioNONE
Publicado8/15/2023
Ultima modificacion11/21/2024
Fuentenvd
Avistamientos honeypot0
Productos afectados
ghost:ghost
Debilidades (CWE)
CWE-22CWE-59
Referencias
https://github.com/TryGhost/Ghost/commit/690fbf3f7302ff3f77159c0795928bdd20f41205(security-advisories@github.com)
https://github.com/TryGhost/Ghost/security/advisories/GHSA-9c9v-w225-v5rg(security-advisories@github.com)
https://github.com/TryGhost/Ghost/commit/690fbf3f7302ff3f77159c0795928bdd20f41205(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/TryGhost/Ghost/security/advisories/GHSA-9c9v-w225-v5rg(af854a3a-2127-422b-91ae-364da2661108)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.