22738b1b50
refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-9gh8-wp53-ccc6 refs https://github.com/TryGhost/Toolbox/issues/465 - Bookshelf relations allows us to edit relational records by default, which was used liberally in the codebase. - Not having a clear track record of editable relations left the model layer prone to triggering unwanted nested saves and created a vulnerability where members were able to edit newsletter settings. - With explicit editable relations it's easier to keep track of relations having editable access to related records. Makes the relational data modification pattern safer to use too. - Anyone running 5.x should update to 5.24.1 Credits: Dave McDaniel and other members of [Cisco Talos](https://talosintelligence.com/vulnerability_reports) |
||
|---|---|---|
| .. | ||
| adapter-manager | ||
| admin | ||
| api-framework | ||
| api-version-compatibility-service | ||
| audience-feedback | ||
| bootstrap-socket | ||
| constants | ||
| core | ||
| custom-theme-settings-service | ||
| data-generator | ||
| domain-events | ||
| email-analytics-provider-mailgun | ||
| email-analytics-service | ||
| email-content-generator | ||
| email-events | ||
| email-service | ||
| email-suppression-list | ||
| express-dynamic-redirects | ||
| extract-api-key | ||
| html-to-plaintext | ||
| job-manager | ||
| link-redirects | ||
| link-replacer | ||
| link-tracking | ||
| magic-link | ||
| mailgun-client | ||
| member-attribution | ||
| member-events | ||
| members-api | ||
| members-csv | ||
| members-events-service | ||
| members-importer | ||
| members-ssr | ||
| minifier | ||
| mw-api-version-mismatch | ||
| mw-cache-control | ||
| mw-error-handler | ||
| mw-session-from-token | ||
| mw-update-user-last-seen | ||
| mw-vhost | ||
| oembed-service | ||
| offers | ||
| package-json | ||
| payments | ||
| portal | ||
| referrers | ||
| security | ||
| session-service | ||
| settings-path-manager | ||
| staff-service | ||
| stats-service | ||
| stripe | ||
| tiers | ||
| update-check-service | ||
| verification-trigger | ||
| version-notifications-data-service | ||