A SQL injection vulnerability existed in Ghost's Content API that allowed unauthenticated attackers to read arbitrary data from the database.
If you run your own Ghost site, now is a great time to upgrade to version 6.19.1 or later. More info can be found in the Ghost Forum post below:
Security update available for Ghost 6.x
We’ve been made aware of a security vulnerability in Ghost versions up to v6.19.0. This is patched in v6.19.1, which has been released and rolled out on Ghost(Pro). Self-hosters should update to v6.19.1 as soon as possible. Details: A SQL injection vulnerability existed in Ghost’s Content API that allowed unauthenticated attackers to read arbitrary data from the database. Docker Image: The Docker image for v6.19.1 is available on Docker Hub here. We’re actively working on improving when and…
I just so happened to be looking at the Ghost forum today when I came across the security disclosure. Had I not been on the forum, my RSS reader would have at least picked up the release note here (See also Feed URL: https://github.com/TryGhost/Ghost/releases.atom).
If you have a better way to keep up with GitHub security advisories for projects, leave a comment to let me know. 🙏
