Impact
The flaw involves inconsistent responses from Ghost’s members signin endpoint when a magic link is requested. An unauthenticated attacker can submit arbitrary email addresses and observe differing responses that reveal whether the email is registered. This results in a member existence data leak, giving attackers knowledge of the site's user base. The vulnerability is classified as CWE‑204.
Affected Systems
Ghost, a Node.js content management system from TryGhost, is affected in versions 5.18.0 through 6.21.0 inclusive. Version 6.21.1 and later contain the fix. Any Ghost site that exposes the magic‑link signin endpoint to the public is at risk.
Risk and Exploitability
The CVSS score of 5.3 denotes moderate severity, focusing on information disclosure with no direct exploitation path. The EPSS score is not available, and the issue is not listed in CISA’s KEV catalog, indicating limited known exploitation. The likely attack vector is an unauthenticated HTTP request to the members login API, requiring no privileged access. An attacker could enumerate internal users and potentially launch credential‑guessing or phishing campaigns based on the disclosed membership information.
OpenCVE Enrichment