CVE-2022-41697
CVE-2022-41697
In short
Ghost 5.9.4 allows attackers to discover valid user accounts by sending specially-crafted login requests and observing different responses. This lets attackers build a list of real usernames before attempting password attacks.
Technical detail
User enumeration vulnerability in Ghost 5.9.4 login endpoint (CWE-204) permits attackers to distinguish between valid and invalid usernames through differential response analysis. The vulnerability requires only HTTP request capability with no authentication; the impact is information disclosure of registered user identities.
Summary generated and translated by AI from the official description.
A user enumeration vulnerability exists in the login functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to a disclosure of sensitive information. An attacker can send a series of HTTP requests to trigger this vulnerability.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected products
Ghost Foundation · GhostWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →