OpenSourceArk/Ghost
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
b3caf16005
Ghost/ghost
History
Fabien "egg" O'Carroll b3caf16005 🔒 Fixed filtering on private Author fields in Content API 
refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9

Because our filtering layer is so coupled to the DB and we don't generally
apply restrictions, it was possible to fetch authors and filter by their
password or email field. Coupled with the "starts with" operator this can be
used to brute force the first character of these fields by trying random
combinations until an author is included in the filter. After which the next
character can be brute forced, and so on until the data has been leaked
completely.
2023-05-03 08:43:20 -04:00
..
adapter-cache-memory-ttl
adapter-cache-redis
adapter-manager
admin Added unpublished reason to post revisions (#16726) 2023-05-03 09:20:34 +02:00
announcement-bar Update CSS preprocessors 2023-05-01 16:43:16 +02:00
announcement-bar-settings Extracted announcement visibility values to single place 2023-04-26 14:42:33 +02:00
api-framework
api-version-compatibility-service
audience-feedback
bootstrap-socket
constants
core 🔒 Fixed filtering on private Author fields in Content API 2023-05-03 08:43:20 -04:00
custom-theme-settings-service
data-generator Prevented an invalid order during deletion 2023-05-02 16:34:47 +01:00
domain-events
dynamic-routing-events
email-analytics-provider-mailgun
email-analytics-service
email-content-generator
email-events
email-service
email-suppression-list
event-aware-cache-wrapper
express-dynamic-redirects
external-media-inliner
extract-api-key
html-to-plaintext
i18n Updated Sinhalese translations (#16639) 2023-05-01 16:49:04 +02:00
importer-handler-content-files
importer-revue
job-manager Update dependency date-fns to v2.30.0 2023-05-01 15:00:19 +02:00
link-redirects
link-replacer
link-tracking
magic-link
mailgun-client Fixed erroneous timing in reported Mailgun metrics 2023-05-01 15:05:59 +02:00
member-attribution
member-events
members-api
members-csv
members-events-service
members-importer
members-ssr
mentions-email-report
milestones
minifier
mw-api-version-mismatch
mw-cache-control
mw-error-handler Update dependency semver to v7.5.0 2023-04-26 10:14:22 +02:00
mw-session-from-token
mw-update-user-last-seen
mw-version-match Update dependency semver to v7.5.0 2023-04-26 10:14:22 +02:00
mw-vhost
oembed-service
offers
package-json
payments
portal Updated Portal back button translations 2023-05-02 16:51:48 +02:00
post-revisions Added unpublished reason to post revisions (#16726) 2023-05-03 09:20:34 +02:00
posts-service Removed unused bulkRemoveTags 2023-04-27 14:56:54 +02:00
referrers
security
session-service
settings-path-manager Update dependency date-fns to v2.30.0 2023-05-01 15:00:19 +02:00
slack-notifications
sodo-search Fixed sodo-search build script 2023-05-01 13:00:37 -04:00
staff-service
stats-service Update dependency @types/sinon to v10.0.14 2023-05-01 15:01:17 +02:00
stripe
tiers
update-check-service
verification-trigger
version-notifications-data-service
webmentions