Security Vulnerabilities in Ghost CMS

guest · Jan 20, 2023

Ghost CMS vulnerable to critical authentication bypass flaw
By Bill Toulas @billtoulas - December 23, 2023

A critical vulnerability in the Ghost CMS newsletter subscription system could allow external users to create newsletters or modify existing ones so that they contain malicious JavaScript.
Click to expand...

Such an action could allow threat actors to perform large-scale phishing attacks from normally harmless sites. Furthermore, the injection of JavaScript has been shown to allow XSS vulnerabilities that could enable threat actors to gain full access to a site.

Ghost is a free and open-source CMS for building websites, publishing content, and sending newsletters, used as a speedier and simpler alternative to WordPress.
According to BuiltWith, Ghost is used by approximately 126k websites, with most of them based in the United States, the United Kingdom, and Germany.
Click to expand...

Targeted remotely
The Cisco Talos team discovered the authentication bypass flaw on October 2022, which they tested and confirmed impacted Ghost version 5.9.4. However, it likely affects more versions before and after it.

The flaw is tracked as CVE-2022-41654 and has a CVSS v3 severity score of 9.6, rating it critical.
Newsletter subscribers (members) are external users with no special privileges on the site, so they are only required to provide an email address and become members without administrator approval.
Click to expand...

A second problem arising from the same flaw is the ability to inject JavaScript into the newsletter, which Ghost permits by default, assuming only administrators can access this powerful function.

For example, the Cisco Talos team leveraged this flaw to inject an XSS (cross-site scripting) object to create an administrator account, triggered when the admin attempts to edit the default newsletter.
Click to expand...

Along with the above flaw, the Talos researchers also discovered CVE-2022-41697, a medium severity user enumeration vulnerability in the login functionality of Ghost, allowing an attacker to verify if an email address is associated with a user on the site.
Click to expand...

Cisco Talos: Vulnerability Spotlight: Authentication bypass and enumeration vulnerabilities in Ghost CMS

By Kri Dontje - December 21, 2023
isco Talos recently discovered two vulnerabilities in Ghost CMS, one authentication bypass vulnerability and one enumeration vulnerability.

Ghost is a content management system with tools to build a website, publish content and send newsletters. Ghost offers paid subscriptions to members and supports a number of integrations with external services.
Click to expand...

Talos has identified an authentication bypass vulnerability that can lead to increased privileges. TALOS-2022-1624 (CVE-2022-41654) allows external users to update their newsletter preferences too liberally, which could allow a user full access to create and modify newsletters, including the default sent to all members.

TALOS-2022-1625 (CVE-2022-41697) is an enumeration vulnerability in the login functionality of Ghost which can lead to a disclosure of sensitive information.
An attacker can send HTTP requests to trigger these vulnerabilities.
Click to expand...

Users are encouraged to update this affected product as soon as possible: Ghost Foundation Ghost 5.9.4. Talos tested and confirmed this version of Ghost could be exploited by these vulnerabilities.
Click to expand...

guest · Jan 20, 2023

Vulnerability Spotlight: XSS vulnerability in Ghost CMS
By Kri Dontje - January 19, 2023

Cisco Talos recently discovered a cross-site scripting (XSS) vulnerability in Ghost CMS.
Click to expand...

Ghost is a content management system with tools to build a website, publish content and send newsletters. Ghost offers paid subscriptions to members and supports a number of integrations with external services.

The TALOS-2022-1686 (CVE-2022-47194-CVE-2022-47197) shows that several XSS vulnerabilities could lead to privilege escalation.
Click to expand...

Ghost responded to notification of this advisory with: “Ghost is designed to be used by trusted users, and we are not interested in hypothetical attack vectors involving staff users attacking each other. This is not how the product is used. For any people who are using Ghost in an untrusted environment, we have clearly documented steps to add further separation of concerns between staff users... We do not consider this to be a valid report."

Cisco Talos believes these are potential security issues due to the fact that it is trivial to escalate privileges in default installations. Talos notified Ghost in adherence to Cisco’s vulnerability disclosure policy.
Click to expand...

Talos tested and confirmed this version of Ghost could be exploited by this vulnerability: Ghost Foundation Ghost 5.9.4.
Click to expand...

Log in or Sign up

Security Vulnerabilities in Ghost CMS

guest Guest

guest Guest

Log in or Sign up

Security Vulnerabilities in Ghost CMS

guest Guest

guest Guest

Useful Searches