Home > Vulnerability Database > CVE-2023-40028

Mend.io Vulnerability Database

CVE-2023-40028

Good to know:

Date: August 15, 2023

Ghost is an open source content management system. Versions prior to 5.59.1 are subject to a vulnerability which allows authenticated users to upload files that are symlinks. This can be exploited to perform an arbitrary file read of any file on the host operating system. Site administrators can check for exploitation of this issue by looking for unknown symlinks within Ghost's "content/" folder. Version 5.59.1 contains a fix for this issue. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: JS

Severity Score

4.9

Related Resources (5)

Url: https://github.com/TryGhost/Ghost/commit/690fbf3f7302ff3f77159c0795928bdd20f41205

Url: https://github.com/TryGhost/Ghost

Url: https://github.com/TryGhost/Ghost/security/advisories/GHSA-9c9v-w225-v5rg

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-40028

Url: https://www.mend.io/vulnerability-database/CVE-2023-40028

Severity Score

4.9

Weakness Type (CWE)

Improper Link Resolution Before File Access ('Link Following')

CWE-59

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

Upgrade Version

Upgrade to version ghost - 5.59.1

Learn More

CVSS v3.1

Base Score:	4.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-40028

Good to know:

Date: August 15, 2023

Language: JS

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?