⚡ Webinar ▶ Level-Up SaaS Security: A Comprehensive Guide to ITDR and SSPM Save Your Seat
#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter

Ghost CMS | Breaking Cybersecurity News | The Hacker News

Two New Security Flaws Reported in Ghost CMS Blogging Software

Two New Security Flaws Reported in Ghost CMS Blogging Software

Dec 22, 2022 Website Security / Vulnerability
Cybersecurity researchers have detailed two security flaws in the JavaScript-based blogging platform known as  Ghost , one of which could be abused to elevate privileges via specially crafted HTTP requests. Ghost is an open source blogging platform that's used in more than 52,600 live websites, most of them located in the U.S., the U.K., German, China, France, Canada, and India. Tracked as CVE-2022-41654 (CVSS score: 9.6), the authentication bypass vulnerability allows unprivileged users (i.e., members) to make unauthorized modifications to newsletter settings. Cisco Talos, which  discovered  the shortcoming, said it could enable a member to change the system-wide default newsletter that all users are subscribed to by default. Even worse, the ability of a site administrator to inject JavaScript into the newsletter by default could be exploited to trigger the creation of arbitrary administrator accounts when attempting to edit the newsletter. "This gives unprivileged us
Hackers Breach LineageOS, Ghost, DigiCert Servers Using SaltStack Vulnerability

Hackers Breach LineageOS, Ghost, DigiCert Servers Using SaltStack Vulnerability

May 04, 2020
Days after cybersecurity researchers sounded the alarm over two critical vulnerabilities in the SaltStack configuration framework , a hacking campaign has already begun exploiting the flaws to breach servers of LineageOS, Ghost, and DigiCert. Tracked as CVE-2020-11651 and CVE-2020-11652 , the disclosed flaws could allow an adversary to execute arbitrary code on remote servers deployed in data centers and cloud environments. The issues were fixed by SaltStack in a release published on April 29th. "We expect that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours," F-Secure researchers had previously warned in an advisory last week. LineageOS, a maker of an open-source operating system based on Android, said it detected the intrusion on May 2nd at around 8 pm Pacific Time. "Around 8 pm PST on May 2nd, 2020, an attacker used a CVE in our SaltStack master to gain access to our infrastructure," the company n
cyber security

external linkFinally, Everyone Can (and Should) Ensure Essential SaaS Security

websiteWing SecuritySaaS Security / Compliance
This new product will help you achieve the baseline requirements for ensuring safe SaaS usage.
Cybersecurity Resources