CVE-2023-26510 — MEDIUM (5.7)

Vulnerability Description

Ghost 5.35.0 allows authorization bypass: contributors can view draft posts of other users, which is arguably inconsistent with a security policy in which a contributor's draft can only be read by editors until published by an editor. NOTE: the vendor's position is that this behavior has no security impact.

CVSS Score

5.7

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Ghost	Ghost	5.35.0

Related Weaknesses (CWE)

CWE-862

References

https://ghost.org/docs/security/Vendor Advisory
https://gist.github.com/yurahod/2e11eabbe4b92ef1d44b08e37023ecfbThird Party Advisory
https://gist.github.com/yurahod/828d5e6a077c12f3f74c6485d1c7f0e7Third Party Advisory
https://ghost.org/docs/security/Vendor Advisory
https://gist.github.com/yurahod/2e11eabbe4b92ef1d44b08e37023ecfbThird Party Advisory
https://gist.github.com/yurahod/828d5e6a077c12f3f74c6485d1c7f0e7Third Party Advisory

FAQ

What is CVE-2023-26510?

CVE-2023-26510 is a vulnerability with a CVSS score of 5.7 (MEDIUM). Ghost 5.35.0 allows authorization bypass: contributors can view draft posts of other users, which is arguably inconsistent with a security policy in which a contributor's draft can only be read by edi...

How severe is CVE-2023-26510?

CVE-2023-26510 has been rated MEDIUM with a CVSS base score of 5.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-26510?

Check the references section above for vendor advisories and patch information. Affected products include: Ghost Ghost.