firefrost-gaming/firefrost-operations-manual
3
0
Fork 0
Code Issues 146 Pull Requests Packages Projects Releases Wiki Activity
Files
2fca5b4eed754e708c8a70f8b9abbceded702e2c
firefrost-operations-manual/docs/archive/retired-tasks/ghost-security-update/README.md
Claude fe461450c4 Cleanup: Archive retired tasks, remove duplicate templates 
Archived to docs/archive/retired-tasks/:
- Ghost CMS tasks (6 folders) - retired April 2, 2026
- Paymenter tasks (2 folders) - retired April 3, 2026
- Ghost website pages

Removed duplicate templates:
- MEMORIAL-TEMPLATE.md (keeping lowercase version)
- PORTRAIT-PROMPT-TEMPLATE.md (keeping lowercase version)
- SESSION-REPORT-TEMPLATE.md (keeping lowercase version)
- OPENER-TEMPLATE.md

Chronicler #66
2026-04-07 17:47:29 +00:00

45 lines
1.5 KiB
Markdown
Raw Blame History

# Ghost CMS Security Update — CVE-2026-26980 + CVE-2026-29784
**Status:** URGENT — PATCH IMMEDIATELY
**Owner:** Michael "Frostystyle" Krause
**Priority:** Tier 0 — Critical Security
**Created:** 2026-03-10
**Created By:** Chronicler #29
---
## Situation
Ghost CMS at firefrostgaming.com is running v6.16.1, which is vulnerable to two active CVEs.
| CVE | Severity | Description | Fixed In |
|-----|----------|-------------|----------|
| CVE-2026-26980 | Critical (CVSS 9.4) | SQL injection in Content API — unauthenticated attackers can read arbitrary data from the database | 6.19.1 |
| CVE-2026-29784 | High (CVSS 7.5) | CSRF flaw on `/session/verify` endpoint — account takeover via phishing | 6.19.3 |
**No application-level workaround exists for CVE-2026-26980.** Must update.
**Exposure window:** March 2, 2026 (alert received) — present. Site is public-facing.
**Target version: 6.19.3** (patches both CVEs)
---
## Quick Links
- [Deployment Plan](deployment-plan.md) — Step-by-step update procedure
- [Infrastructure Note](infrastructure-note.md) — Ghost CMS added to manifest
---
## Infrastructure Note
Ghost CMS was not previously documented in the infrastructure manifest. This update task also triggers an infrastructure manifest update to add Ghost CMS as a service on Ghost VPS.
**Server:** Ghost VPS (64.50.188.14)
**URL:** https://firefrostgaming.com
**Admin:** https://firefrostgaming.com/ghost
**Version (vulnerable):** 6.16.1
**Database:** MySQL 8
**Environment:** Production
Reference in New Issue View Git Blame Copy Permalink