feat: add Task #38 — Ghost CMS urgent security update
CVE-2026-26980 (CVSS 9.4) + CVE-2026-29784 (CVSS 7.5) Current version: 6.16.1 (vulnerable) Target version: 6.19.3 (patches both CVEs) Exposure window: March 2 - present Deployment plan covers both Ghost CLI and Docker update paths. Ghost CMS flagged as undocumented service — manifest update needed. Created by Chronicler #29
This commit is contained in:
Claude
@@ -32,6 +32,29 @@ Quick wins that unlock other work or provide immediate value.
|
||||
|
||||
---
|
||||
|
||||
### 38. Ghost CMS Security Update — ⚠️ URGENT
|
||||
**Time:** 15-30 minutes
|
||||
**Status:** PATCH IMMEDIATELY — 8 days exposed
|
||||
**Priority:** Tier 0 — Critical Security
|
||||
**Documentation:** `docs/tasks/ghost-security-update/`
|
||||
|
||||
Ghost CMS at firefrostgaming.com is running v6.16.1, vulnerable to two active CVEs. No workaround exists — must update to 6.19.3.
|
||||
|
||||
**CVEs:**
|
||||
- CVE-2026-26980 (CVSS 9.4 Critical) — SQL injection in Content API, unauthenticated DB read
|
||||
- CVE-2026-29784 (CVSS 7.5 High) — CSRF account takeover via session/verify endpoint
|
||||
|
||||
**Key Deliverables:**
|
||||
- Ghost updated to v6.19.3 on Ghost VPS (64.50.188.14)
|
||||
- Site verified operational post-update
|
||||
- Infrastructure manifest updated (Ghost CMS was undocumented)
|
||||
|
||||
**Dependencies:** Requires SSH access to Ghost VPS (64.50.188.14)
|
||||
|
||||
**See task directory for complete update procedure (CLI and Docker paths both documented).**
|
||||
|
||||
---
|
||||
|
||||
### 1. Centralized Whitelist Manager Web Dashboard — ✅ COMPLETE
|
||||
**Time:** 2-2.5 hours (actual: ~4 hours over 2 sessions)
|
||||
**Status:** ✅ FULLY OPERATIONAL
|
||||
|
||||
Reference in New Issue
Block a user