Get in Touch
Ghost CMS authentication bypass vulnerability
Indiscriminate and opportunistic targeting.
Severity level: Critical – Exploitation of this vulnerability can allow attackers to launch phishing campaigns from vulnerable newsletters, resulting in reputation damage. Furthermore, this vulerability also introduces the possibility of Cross Site Scripting (XSS), allowing attackers to control affected sites.
A patch was released by the vendor on 28th November 2022.
Given the critical severity of the vulnerability, the projected impact is quite severe including reputation damage and loss of control of the site.
Ghost CMS was made aware of the vulnerability on 26th October, with the patch being released on 28th November.
Note that a non-administrative user in this context is any user that has signed up to a newsletter by supplying an email address.
Ghost versions 5.0.0-5.22.6
Ghost versions 4.46.0-4.48.7
Containment, Mitigations & Remediations
It is strongly recommended that customers who used Ghost CMS to publish articles and/or send newsletters update to the patched versions 5.22.7+ or 4.48.8+
Indicators of Compromise
API endpoint requests to ‘/members/api/member/’ with POST data referencing newsletters and changes to newsletters.
Ghost CMS is a free and open source Content Management System using widely in the US, the UK and Germany and is regarded as a simpler alternative to WordPress.
TA0042 – Resource Development
T1586.002) – Email Accounts
T1102 – Web Services
TA0004 – Privilege Escalation
T1548.002 – Bypass User Account Control
Talos Intelligence Researchers