CVE-2021-39192: 
JavaScript vulnerability analysis and mitigation

Ghost, a Node.js content management system, was found to contain a privilege escalation vulnerability (CVE-2021-39192) affecting versions 4.0.0 through 4.9.4. The vulnerability was discovered in the implementation of the limits service, which allowed all authenticated users, including contributors, to view admin-level API keys through the integrations API endpoint (GitHub Advisory).

The vulnerability stems from an error in the limits service implementation that incorrectly allowed access to admin-level API keys via the integrations API endpoint. The issue has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N, indicating network vector attack with low complexity, requiring high privileges but no user interaction (NVD).

The vulnerability allows authenticated users with contributor-level access to view admin-level API keys, potentially leading to unauthorized administrative access and privilege escalation. This exposure of sensitive API keys could result in unauthorized access to administrative functions and sensitive data (GitHub Advisory).

The vulnerability was patched in Ghost version 4.10.0. For immediate mitigation, administrators can disable all non-Administrator accounts to prevent API access. It is strongly recommended to regenerate all API keys after applying either the patch or the workaround (GitHub Release, GitHub Advisory).