mirror of
https://github.com/TryGhost/Ghost.git
synced 2025-01-04 17:04:59 +03:00
22738b1b50
refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-9gh8-wp53-ccc6 refs https://github.com/TryGhost/Toolbox/issues/465 - Bookshelf relations allows us to edit relational records by default, which was used liberally in the codebase. - Not having a clear track record of editable relations left the model layer prone to triggering unwanted nested saves and created a vulnerability where members were able to edit newsletter settings. - With explicit editable relations it's easier to keep track of relations having editable access to related records. Makes the relational data modification pattern safer to use too. - Anyone running 5.x should update to 5.24.1 Credits: Dave McDaniel and other members of [Cisco Talos](https://talosintelligence.com/vulnerability_reports) |
||
|---|---|---|
| .. | ||
| content | ||
| core | ||
| test | ||
| .c8rc.e2e.json | ||
| .c8rc.json | ||
| .eslintignore | ||
| .eslintrc.js | ||
| .gitignore | ||
| .npmignore | ||
| config.development.json | ||
| ghost.js | ||
| index.js | ||
| jsconfig.json | ||
| loggingrc.js | ||
| MigratorConfig.js | ||
| package.json | ||
| playwright.config.js | ||