漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Ghost: File Upload Content-Type Spoofing
Vulnerability Description
Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, insufficient validation of the client-supplied Content-Type on Ghost's Admin API file upload endpoint allowed uploaded files to be served from the site with an attacker-chosen content type on S3/GCS storage backends. On installations that serve uploaded files from the same origin as the site, this could have been used to facilitate stored cross-site scripting against site visitors or staff. This vulnerability is fixed in 6.21.1.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Vulnerability Type
危险类型文件的不加限制上传
Vulnerability Title
Ghost 任意文件上传漏洞
Vulnerability Description
Ghost是Ghost基金会开源的一款内容管理平台。 Ghost 6.19.4版本至6.21.1之前版本存在任意文件上传漏洞,该漏洞源于对客户端提供的Content-Type验证不足,可能导致存储型跨站脚本攻击。
CVSS Information
N/A
Vulnerability Type
N/A