Ghost CMS vulnerable to critical authentication bypass flaw

Ghost CMS logo over a ghostly figure

A critical vulnerability in the Ghost CMS newsletter subscription system could allow external users to create newsletters or modify existing ones so that they contain malicious JavaScript.

Such an action could allow threat actors to perform large-scale phishing attacks from normally harmless sites. Furthermore, the injection of JavaScript has been shown to allow XSS vulnerabilities that could enable threat actors to gain full access to a site.

Ghost is a free and open-source CMS for building websites, publishing content, and sending newsletters, used as a speedier and simpler alternative to WordPress.

According to BuiltWith, Ghost is used by approximately 126k websites, with most of them based in the United States, the United Kingdom, and Germany.

Targeted remotely

The Cisco Talos team discovered the authentication bypass flaw on October 2022, which they tested and confirmed impacted Ghost version 5.9.4. However, it likely affects more versions before and after it.

The flaw is tracked as CVE-2022-41654 and has a CVSS v3 severity score of 9.6, rating it critical.

Newsletter subscribers (members) are external users with no special privileges on the site, so they are only required to provide an email address and become members without administrator approval.

However, Cisco Talos discovered that an exposed API with an incorrect inclusion of the “newsletter” relationship could give subscribers access to that subsystem, allowing them to modify or create newsletters.

This includes the system-wide default newsletter that all members are subscribed to by default, essentially giving the attackers the power to send out any content they wish to all subscribers.

Post-exploitation user object
Post-exploitation user object (Cisco Talos)

A second problem arising from the same flaw is the ability to inject JavaScript into the newsletter, which Ghost permits by default, assuming only administrators can access this powerful function.

For example, the Cisco Talos team leveraged this flaw to inject an XSS (cross-site scripting) object to create an administrator account, triggered when the admin attempts to edit the default newsletter.

Example of XSS that creates new admin account
Example of XSS that creates a new admin account (Cisco Talos)

Along with the above flaw, the Talos researchers also discovered CVE-2022-41697, a medium severity user enumeration vulnerability in the login functionality of Ghost, allowing an attacker to verify if an email address is associated with a user on the site.

The two vulnerabilities have been addressed by Ghost on the latest version of the CMS, so all admins of websites built on Ghost are recommended to apply the available security update as soon as possible.


Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon using the button below

Digital Patreon Wordmark FieryCoralv2

To keep up to date follow us on the below channels.

join
Click Above for Telegram
discord
Click Above for Discord
reddit
Click Above for Reddit
hd linkedin
Click Above For LinkedIn