Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical security update available #4

Closed
alan345 opened this issue Apr 30, 2021 · 2 comments
Closed

Critical security update available #4

alan345 opened this issue Apr 30, 2021 · 2 comments
Labels
security update

Comments

@alan345
Copy link

alan345 commented Apr 30, 2021

Hello,
After installing your repo, I git this error message:
Critical security update available — please update Ghost as soon as possible. Details here: GHSA-9fgx-q25h-jxrg

Fixed in 4.3.3, all 4.x sites should upgrade as soon as possible.
As the endpoint is unused, the patch simply removes it.
@thelovekesh
Copy link
Owner

You have got such message due to a big security update in Ghost v4.

Details

An unused endpoint added during the development of 4.0.0 is vulnerable to allowing untrusted users access to Ghost Admin. An attacker may gain access by convincing an authenticated Ghost Staff User to click a link containing malicious code. Users do not need to enter credentials and may not know they’ve visited a malicious site for this exploit to be effective.

Update

I am updating Ghost to the latest version. You can also do this by updating ghost dependency in package.json.

@alan345
Copy link
Author

alan345 commented May 1, 2021

Thanks you!
I wonder how you can update heroku after updating the package json. It will overwrite the actual heroku project?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security update
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alan345 @thelovekesh