CVE-2024-39313
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
toy-blog is a headless content management system implementation. Starting in version 0.5.4 and prior to version 0.6.1, articles with private visibility can be read if the reader does not set credentials for the request. Users should upgrade to 0.6.1 or later to receive a patch. No known workarounds are available.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| KisaragiEffective | toy-blog | >= 0.5.4, < 0.6.1 | affected |
Weaknesses
- CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://github.com/KisaragiEffective/toy-blog/security/advisories/GHSA-rf2q-5q4q-5fwr
- https://github.com/KisaragiEffective/toy-blog/commit/f13a45f68c9560124558e6bb445ad441a4cf4732
References
- https://github.com/KisaragiEffective/toy-blog/security/advisories/GHSA-rf2q-5q4q-5fwr
- https://github.com/KisaragiEffective/toy-blog/commit/f13a45f68c9560124558e6bb445ad441a4cf4732
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.