CVE-2023-40028: 
JavaScript vulnerability analysis and mitigation

Ghost, an open source content management system, was found to contain a vulnerability (CVE-2023-40028) in versions prior to 5.59.1. The vulnerability was disclosed on August 15, 2023, affecting all Ghost installations running versions up to 5.59.0 (NVD, GitHub Advisory).

The vulnerability allows authenticated users to upload files that are symlinks, which can be exploited to perform arbitrary file reads of any file on the host operating system. The issue has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) by NIST and 4.9 (MEDIUM) by GitHub, with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-59 (Improper Link Resolution Before File Access) by NIST and CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) by GitHub (NVD).

The primary impact of this vulnerability is the potential exposure of sensitive information. An authenticated attacker could exploit this vulnerability to read arbitrary files on the host operating system, potentially accessing confidential system files or other sensitive data stored on the server (GitHub Advisory).

The vulnerability has been fixed in Ghost version 5.59.1. All users are advised to upgrade to this version or later. There are no known workarounds for this vulnerability (NVD, GitHub Advisory).