Login Sign Up

CVE-2023-31133

7.5 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in Ghost CMS allows attackers to brute-force filter parameters on public API endpoints to reveal private fields like passwords and emails. Self-hosted Ghost instances below version 5.46.1 are affected, while Ghost(Pro) has already been patched.

💻 Affected Systems

Products:
  • Ghost CMS
Versions: All versions below 5.46.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Ghost(Pro) instances are already patched. Only self-hosted instances running vulnerable versions are affected.

📦 What is this software?

Ghost by Ghost

View all CVEs affecting Ghost →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could extract sensitive user data including passwords and email addresses, leading to credential theft, account compromise, and privacy violations.

🟠

Likely Case

Attackers discover and extract private user information through automated scanning, potentially leading to credential stuffing attacks and privacy breaches.

🟢

If Mitigated

With proper filtering validation, private fields remain protected and API endpoints function normally without data leakage.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires brute-forcing filter parameters on public API endpoints, which is relatively straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.46.1

Vendor Advisory: https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9

Restart Required: Yes

Instructions:

1. Backup your Ghost instance. 2. Update Ghost to version 5.46.1 or later using your package manager or deployment method. 3. Restart the Ghost service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Block malicious filter requests

all

Add web server rules to block requests containing 'password' or 'email' in filter parameters

# For nginx: add to server block
location ~ ^/ghost/api/content/ {
    if ($args ~* "filter.*(password|email)") {
        return 403;
    }
}
# For Apache: add to .htaccess
RewriteEngine On
RewriteCond %{QUERY_STRING} filter.*(password|email) [NC]
RewriteRule ^ghost/api/content/ - [F]

🧯 If You Can't Patch

  • Implement strict rate limiting on /ghost/api/content/* endpoints to prevent brute force attacks
  • Deploy a WAF with rules to block requests containing suspicious filter parameters

🔍 How to Verify

Check if Vulnerable:

Check Ghost version via admin panel or run: ghost version

Check Version:

ghost version

Verify Fix Applied:

Confirm version is 5.46.1 or higher and test API endpoints with filter parameters containing 'password' or 'email' return appropriate errors

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed requests to /ghost/api/content/* with filter parameters
  • Requests containing 'password' or 'email' in filter query strings

Network Indicators:

  • Unusual volume of requests to API endpoints with filter parameters
  • Patterns of parameter brute-forcing

SIEM Query:

source="ghost.logs" AND (url_path="/ghost/api/content/*" AND query_string="*filter*password*" OR query_string="*filter*email*")

📊 Metadata

CVE ID: CVE-2023-31133
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-200
Published: May 8, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-31133, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)