• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
two new security flaws reported in ghost cms blogging software

Two New Security Flaws Reported in Ghost CMS Blogging Software

You are here: Home / General Cyber Security News / Two New Security Flaws Reported in Ghost CMS Blogging Software
December 22, 2022

Cybersecurity scientists have specific two security flaws in the JavaScript-based mostly blogging system known as Ghost, a person of which could be abused to elevate privileges by way of specially crafted HTTP requests.

Tracked as CVE-2022-41654 (CVSS score: 8.5), the authentication bypass vulnerability that allows unprivileged people (i.e., associates) to make unauthorized modifications to newsletter settings.

Cisco Talos, which found the shortcoming, said it could enable a member to transform the program-wide default e-newsletter that all consumers are subscribed to by default.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


CyberSecurity

“This provides unprivileged people the means to check out and adjust configurations they had been not supposed to have accessibility to,” Ghost mentioned in an advisory released on November 28, 2022. “They are not equipped to escalate their privileges completely or get access to even further info.”

The CMS system blamed the bug owing to a “hole” in its API validation, introducing it found no proof that the issue has been exploited in the wild.

Also patched by Ghost is an enumeration vulnerability in the login operation (CVE-2022-41697, CVSS score: 5.3) that could guide to the disclosure of sensitive information and facts.

For each Talos, this flaw could be leveraged by an attacker to enumerate all legitimate customers of Ghost by giving an email tackle, which could then be made use of to slim down opportunity targets for a upcoming-phase phishing attack.

The flaws have been addressed in the Ghost (Pro) managed hosting service, but end users who self-host the company and operate a version involving 4.46. and 4.48.7 or any variation of v5 up to and such as 5.22.6 are required to update to variations 4.48.8 and 5.22.7.

Observed this article attention-grabbing? Follow us on Twitter  and LinkedIn to go through more distinctive content material we article.


Some sections of this posting are sourced from:
thehackernews.com

Previous Post: «Cyber Security News UK Government: Sharing Some Passwords is Illegal
Next Post: Researchers Develop AI-powered Malware Classification for 5G-enabled IIoT Cyber Security News»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Russian Turla Hackers Hijack Decade-Old Malware Infrastructure to Deploy New Backdoors
  • WhatsApp Unveils Proxy Support to Tackle Internet Censorship
  • Hackers Using CAPTCHA Bypass Tactics in Freejacking Campaign on GitHub
  • Blind Eagle Hacking Group Targets South America With New Tools
  • US Family Planning Non-Profit MFHS Confirms Ransomware Attack
  • Microsoft Reveals Tactics Used by 4 Ransomware Families Targeting macOS
  • Dridex Malware Now Attacking macOS Systems with Novel Infection Method
  • Cyber attacks on UK organisations surged 77% in 2022, new research finds
  • WhatsApp to combat internet blackouts with proxy server support
  • The IT Pro Podcast: Going passwordless

Copyright © TheCyberSecurity.News, All Rights Reserved.