Home > Vulnerability Database > WS-2020-0399

Mend.io Vulnerability Database

WS-2020-0399

Good to know:

Date: June 2, 2020

In Ghost headless CMS, versions 1.24.3 through 2.38.1 and 3.0.0 through 3.17.1 are vulnerable to Server-Side Request Forgery in the OEmbed API. An attacker with a publisher role (editor, author, contributor, administrator) in a blog may be able to leverage this to make arbitrary GET requests in a Ghost Blog instance to internal or external networks.

Language: JS

Severity Score

5.0

Related Resources (3)

Url: https://github.com/TryGhost/Ghost/commit/061368a137d1277b86e556918db4ac0469e564ef

Url: https://github.com/TryGhost/Ghost/commit/64ed246d03a732da18dc94744c921212eaf49ab8

Url: https://www.mend.io/vulnerability-database/WS-2020-0399

Severity Score

5.0

Weakness Type (CWE)

Server-Side Request Forgery (SSRF)

CWE-918

Top Fix

Upgrade Version

Upgrade to version ghost - 2.38.2;3.18.0

Learn More

CVSS v3.1

Base Score:	5.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

WS-2020-0399

Good to know:

Date: June 2, 2020

Language: JS

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?