TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-11-28 14:03:48 +03:00
Code Issues Projects Releases Wiki Activity
a22717a8e7
Ghost/ghost
History
Fabien "egg" O'Carroll a22717a8e7 🔒 Fixed filtering on private Author fields in Content API 
refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9

Because our filtering layer is so coupled to the DB and we don't generally
apply restrictions, it was possible to fetch authors and filter by their
password or email field. Coupled with the "starts with" operator this can be
used to brute force the first character of these fields by trying random
combinations until an author is included in the filter. After which the next
character can be brute forced, and so on until the data has been leaked
completely.
2023-05-03 08:25:27 -04:00
..
adapter-cache-memory-ttl Update Test & linting packages 2023-04-05 15:16:08 +02:00
adapter-cache-redis Update Test & linting packages 2023-04-05 15:16:08 +02:00
adapter-manager Update Test & linting packages 2023-04-05 15:16:08 +02:00
admin v5.46.0 2023-04-28 16:00:41 +01:00
announcement-bar Released Announcement-Bar v1.1.4 2023-04-27 17:23:37 +04:00
announcement-bar-settings Extracted announcement visibility values to single place 2023-04-26 14:42:33 +02:00
api-framework Update @tryghost 2023-04-07 13:47:12 +02:00
api-version-compatibility-service Update Test & linting packages 2023-04-05 15:16:08 +02:00
audience-feedback Update @tryghost 2023-04-07 13:47:12 +02:00
bootstrap-socket Update @tryghost 2023-04-07 13:47:12 +02:00
constants Update Test & linting packages 2023-04-05 15:16:08 +02:00
core 🔒 Fixed filtering on private Author fields in Content API 2023-05-03 08:25:27 -04:00
custom-theme-settings-service Update @tryghost 2023-04-07 13:47:12 +02:00
data-generator Update @tryghost 2023-04-07 13:47:12 +02:00
domain-events Update @tryghost 2023-04-07 13:47:12 +02:00
dynamic-routing-events Update Test & linting packages 2023-04-05 15:16:08 +02:00
email-analytics-provider-mailgun Update Test & linting packages 2023-04-05 15:16:08 +02:00
email-analytics-service Update @tryghost 2023-04-07 13:47:12 +02:00
email-content-generator Update dependency fs-extra to v11.1.1 2023-03-21 07:35:30 +01:00
email-events Update Test & linting packages 2023-04-05 15:16:08 +02:00
email-service Added error handling for email analytics unsubscribe event (#16613) 2023-04-11 13:13:34 -07:00
email-suppression-list Update Test & linting packages 2023-04-05 15:16:08 +02:00
event-aware-cache-wrapper Update Test & linting packages 2023-04-05 15:16:08 +02:00
express-dynamic-redirects Update dependency c8 to v7.13.0 2023-02-16 22:15:50 +00:00
external-media-inliner Update Test & linting packages 2023-04-05 15:16:08 +02:00
extract-api-key Fixed full Admin test suite running during unit tests 2022-08-15 15:34:52 +02:00
html-to-plaintext Update dependency c8 to v7.13.0 2023-02-16 22:15:50 +00:00
i18n Added Ukrainian locale for Portal 2023-04-21 17:26:51 +02:00
importer-handler-content-files Update Test & linting packages 2023-04-05 15:16:08 +02:00
importer-revue Update @tryghost 2023-04-07 13:47:12 +02:00
job-manager Update @tryghost 2023-04-07 13:47:12 +02:00
link-redirects Update Test & linting packages 2023-04-05 15:16:08 +02:00
link-replacer Update Test & linting packages 2023-04-05 15:16:08 +02:00
link-tracking Update @tryghost 2023-04-07 13:47:12 +02:00
magic-link Update @tryghost 2023-04-07 13:47:12 +02:00
mailgun-client Update @tryghost 2023-04-07 13:47:12 +02:00
member-attribution Update @tryghost 2023-04-07 13:47:12 +02:00
member-events Update Test & linting packages 2023-04-05 15:16:08 +02:00
members-api Update @tryghost 2023-04-07 13:47:12 +02:00
members-csv Update Test & linting packages 2023-04-05 15:16:08 +02:00
members-events-service Update @tryghost 2023-04-07 13:47:12 +02:00
members-importer Update @tryghost 2023-04-07 13:47:12 +02:00
members-ssr Update @tryghost 2023-04-07 13:47:12 +02:00
mentions-email-report Update Test & linting packages 2023-04-05 15:16:08 +02:00
milestones Update Test & linting packages 2023-04-05 15:16:08 +02:00
minifier Update @tryghost 2023-04-07 13:47:12 +02:00
mw-api-version-mismatch Update Test & linting packages 2023-04-05 15:16:08 +02:00
mw-cache-control Update Test & linting packages 2023-04-05 15:16:08 +02:00
mw-error-handler Update dependency semver to v7.5.0 2023-04-26 10:14:22 +02:00
mw-session-from-token Update Test & linting packages 2023-04-05 15:16:08 +02:00
mw-update-user-last-seen Update Test & linting packages 2023-04-05 15:16:08 +02:00
mw-version-match Update dependency semver to v7.5.0 2023-04-26 10:14:22 +02:00
mw-vhost Update dependency c8 to v7.13.0 2023-02-16 22:15:50 +00:00
oembed-service Update @tryghost 2023-04-07 13:47:12 +02:00
offers Update @tryghost 2023-04-07 13:47:12 +02:00
package-json Update @tryghost 2023-04-07 13:47:12 +02:00
payments Update Test & linting packages 2023-04-05 15:16:08 +02:00
portal Update sentry-javascript monorepo to v7.49.0 2023-04-26 10:30:25 +02:00
post-revisions Added background saves every 10 mins for post-revisions (#16703) 2023-04-21 16:04:54 +01:00
posts-service Removed unused bulkRemoveTags 2023-04-27 14:56:54 +02:00
referrers Update Test & linting packages 2023-04-05 15:16:08 +02:00
security Update @tryghost 2023-04-07 13:47:12 +02:00
session-service Update Test & linting packages 2023-04-05 15:16:08 +02:00
settings-path-manager Update @tryghost 2023-04-07 13:47:12 +02:00
slack-notifications Update @tryghost 2023-04-07 13:47:12 +02:00
sodo-search Update dependency tailwindcss to v3.3.2 2023-04-26 06:36:40 +02:00
staff-service Update Test & linting packages 2023-04-05 15:16:08 +02:00
stats-service Update Test & linting packages 2023-04-05 15:16:08 +02:00
stripe Update @tryghost 2023-04-07 13:47:12 +02:00
tiers Update @tryghost 2023-04-07 13:47:12 +02:00
update-check-service Update @tryghost 2023-04-07 13:47:12 +02:00
verification-trigger Update Test & linting packages 2023-04-05 15:16:08 +02:00
version-notifications-data-service Update Test & linting packages 2023-04-05 15:16:08 +02:00
webmentions Fixed flaky test: Can generate a mentions report (#16592) 2023-04-07 19:03:22 -07:00