Ghost/ghost/core/test/regression/api/content
Fabien "egg" O'Carroll b3caf16005 🔒 Fixed filtering on private Author fields in Content API
refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9

Because our filtering layer is so coupled to the DB and we don't generally
apply restrictions, it was possible to fetch authors and filter by their
password or email field. Coupled with the "starts with" operator this can be
used to brute force the first character of these fields by trying random
combinations until an author is included in the filter. After which the next
character can be brute forced, and so on until the data has been leaked
completely.
2023-05-03 08:43:20 -04:00
..
authors.test.js 🔒 Fixed filtering on private Author fields in Content API 2023-05-03 08:43:20 -04:00
pages.test.js 🔒 Fixed filtering on private Author fields in Content API 2023-05-03 08:43:20 -04:00
posts.test.js 🔒 Fixed filtering on private Author fields in Content API 2023-05-03 08:43:20 -04:00
tags.test.js Fixed configUtils and adapter cache issues in E2E tests (#16167) 2023-01-30 14:06:20 +01:00
utils.js Added comment property to posts in Content API 2022-07-28 14:55:53 +01:00