cve/2023/CVE-2023-26510.md

### [CVE-2023-26510](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26510)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

Ghost 5.35.0 allows authorization bypass: contributors can view draft posts of other users, which is arguably inconsistent with a security policy in which a contributor's draft can only be read by editors until published by an editor. NOTE: the vendor's position is that this behavior has no security impact.

### POC

#### Reference
- https://ghost.org/docs/security/
- https://gist.github.com/yurahod/2e11eabbe4b92ef1d44b08e37023ecfb
- https://gist.github.com/yurahod/828d5e6a077c12f3f74c6485d1c7f0e7

#### Github
No PoCs found on GitHub currently.
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`### [CVE-2023-26510](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26510)`
			`![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)`

			`### Description`

			`Ghost 5.35.0 allows authorization bypass: contributors can view draft posts of other users, which is arguably inconsistent with a security policy in which a contributor's draft can only be read by editors until published by an editor. NOTE: the vendor's position is that this behavior has no security impact.`

			`### POC`

			`#### Reference`
			`- https://ghost.org/docs/security/`
			`- https://gist.github.com/yurahod/2e11eabbe4b92ef1d44b08e37023ecfb`
			`- https://gist.github.com/yurahod/828d5e6a077c12f3f74c6485d1c7f0e7`

			`#### Github`
			`No PoCs found on GitHub currently.`