CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-47195
https://notcve.org/view.php?id=CVE-2022-47195
An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `facebook` field for a user. Existe una vulnerabilidad predeterminada insegura en la funcionalidad de creación posterior de Ghost Foundation Ghost 5.9.4. Las instalaciones predeterminadas de Ghost permiten a los usuarios que no son administradores inyectar Javascript arbitrario en las publicaciones, lo que permite escalar privilegios al administrador a través de XSS. • https://talosintelligence.com/vulnerability_reports/TALOS-2022-1686 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-453: Insecure Default Variable Initialization •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-47194
https://notcve.org/view.php?id=CVE-2022-47194
An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `twitter` field for a user. • https://talosintelligence.com/vulnerability_reports/TALOS-2022-1686 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-453: Insecure Default Variable Initialization CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-41697
https://notcve.org/view.php?id=CVE-2022-41697
A user enumeration vulnerability exists in the login functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to a disclosure of sensitive information. An attacker can send a series of HTTP requests to trigger this vulnerability. • https://talosintelligence.com/vulnerability_reports/TALOS-2022-1625 • CWE-204: Observable Response Discrepancy •
CVSS: 9.6EPSS: 0%CPEs: 2EXPL: 1CVE-2022-41654
https://notcve.org/view.php?id=CVE-2022-41654
An authentication bypass vulnerability exists in the newsletter subscription functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to increased privileges. An attacker can send an HTTP request to trigger this vulnerability. • https://github.com/TryGhost/Ghost/security/advisories/GHSA-9gh8-wp53-ccc6 https://talosintelligence.com/vulnerability_reports/TALOS-2022-1624 • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-21227 – Denial of Service (DoS)
https://notcve.org/view.php?id=CVE-2022-21227
The package sqlite3 before 5.0.3 are vulnerable to Denial of Service (DoS) which will invoke the toString function of the passed parameter. If passed an invalid Function object it will throw and crash the V8 engine. El paquete sqlite3 versiones anteriores a 5.0.3, es vulnerable a una Denegación de Servicio (DoS) que invocará la función toString del parámetro pasado. Si es pasado un objeto Function no válido, será lanzado y bloqueará el motor V8 • https://github.com/TryGhost/node-sqlite3/commit/593c9d498be2510d286349134537e3bf89401c4a https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2805470 https://snyk.io/vuln/SNYK-JS-SQLITE3-2388645 •