Get in Touch
Ghost CMS authentication bypass vulnerability
Target Industry
Indiscriminate and opportunistic targeting.
Overview
Severity level: Critical – Exploitation of this vulnerability can allow attackers to launch phishing campaigns from vulnerable newsletters, resulting in reputation damage. Furthermore, this vulerability also introduces the possibility of Cross Site Scripting (XSS), allowing attackers to control affected sites.
A patch was released by the vendor on 28th November 2022.
Impact
Given the critical severity of the vulnerability, the projected impact is quite severe including reputation damage and loss of control of the site.
Vulnerability Detection
Ghost CMS was made aware of the vulnerability on 26th October, with the patch being released on 28th November.
The API endpoint ‘/members/api/member/’ is exposed to non-administrative users. However, this endpoint is indirectly related to the newsletter relationship allowing non-administrative users to create and modify all newsletter subscriptions. An extension of this allows non-administrative users to inject JavaScript into newsletters – a function thought to be reserved for administrators only.
Note that a non-administrative user in this context is any user that has signed up to a newsletter by supplying an email address.
Affected Products
Ghost versions 5.0.0-5.22.6
Ghost versions 4.46.0-4.48.7
Containment, Mitigations & Remediations
It is strongly recommended that customers who used Ghost CMS to publish articles and/or send newsletters update to the patched versions 5.22.7+ or 4.48.8+
Indicators of Compromise
API endpoint requests to ‘/members/api/member/’ with POST data referencing newsletters and changes to newsletters.
Threat Landscape
Ghost CMS is a free and open source Content Management System using widely in the US, the UK and Germany and is regarded as a simpler alternative to WordPress.
Mitre Methodologies
TA0042 – Resource Development
T1586.002) – Email Accounts
T1102 – Web Services
TA0004 – Privilege Escalation
T1548.002 – Bypass User Account Control
Further Information
Talos Intelligence Researchers