Authorization Bypass in Ghost 5.35.0: Contributors Can View Other Users' Draft Posts

Authorization Bypass in Ghost 5.35.0: Contributors Can View Other Users' Draft Posts

CVE-2023-26510 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Ghost 5.35.0 allows authorization bypass: contributors can view draft posts of other users, which is arguably inconsistent with a security policy in which a contributor's draft can only be read by editors until published by an editor. NOTE: the vendor's position is that this behavior has no security impact.

Learn more about our User Device Pen Test.