Highlsinger

**Name of the Vulnerable Software and Affected Versions** Ghost versions 5.101.6 through 6.19.2 **Description** Incomplete CSRF protections around the `/session/verify` API endpoint allowed the use of One-Time Codes (OTCs) in login sessions different from the requesting session. This could potentially allow attackers to take over a Ghost site through phishing attacks. **Recommendations** Update to version 6.19.3 or later.