CVE-2024-43409
Ghost's improper authentication allows access to member information and actions
Description
### Impact Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information. ### Vulnerable versions This security vulnerability is present in Ghost v4.46.0-v5.89.5. Ghost(Pro) customers are automatically updated to fixed versions ahead of disclosure. If you're a self-hoster, please follow our [update instructions](https://ghost.org/docs/update). ### Patches v5.89.5 contains a fix for this issue. ### Workarounds Disable site membership in Ghost settings. ### For more information If you have any questions or comments about this advisory: * Email us at [security@ghost.org](mailto:security@ghost.org)
How to fix CVE-2024-43409
To remediate CVE-2024-43409, upgrade the affected package to a fixed version below.
- —upgrade to 5.89.5 or later
- —upgrade to 5.89.5 or later
- —upgrade to 2.39.0 or later
Is CVE-2024-43409 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- >= 4.46.0, < 5.89.5
- >= 4.46.0, < 5.89.5
- >= 1.22.2, < 2.39.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |