CVE-2023-31133

Name of the Vulnerable Software and Affected Versions Ghost versions prior to 5.46.1

Description The issue is due to a lack of validation when filtering on the public API endpoints, making it possible to reveal private fields via a brute force attack. Ghost(Pro) has already been patched, and there is no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version below v5.46.1.

Recommendations For Ghost versions prior to 5.46.1, update to version 5.46.1 to resolve the issue. As a temporary workaround, consider adding a block for requests to "/ghost/api/content/*" where the filter query parameter contains password or email.