A critical vulnerability in the Ghost CMS newsletter subscription system could allow external users to create newsletters or modify existing ones so that they contain malicious JavaScript.
Such an action could allow threat actors to perform large-scale phishing attacks from normally harmless sites. Furthermore, the injection of JavaScript has been shown to allow XSS vulnerabilities that could enable threat actors to gain full access to a site.
Ghost is a free and open-source CMS for building websites, publishing content, and sending newsletters, used as a speedier and simpler alternative to WordPress.
According to BuiltWith, Ghost is used by approximately 126k websites, with most of them based in the United States, the United Kingdom, and Germany.
Targeted remotely
The Cisco Talos team discovered the authentication bypass flaw on October 2022, which they tested and confirmed impacted Ghost version 5.9.4. However, it likely affects more versions before and after it.
The flaw is tracked as CVE-2022-41654 and has a CVSS v3 severity score of 9.6, rating it critical.
Newsletter subscribers (members) are external users with no special privileges on the site, so they are only required to provide an email address and become members without administrator approval.
However, Cisco Talos discovered that an exposed API with an incorrect inclusion of the “newsletter” relationship could give subscribers access to that subsystem, allowing them to modify or create newsletters.
This includes the system-wide default newsletter that all members are subscribed to by default, essentially giving the attackers the power to send out any content they wish to all subscribers.
.png)
A second problem arising from the same flaw is the ability to inject JavaScript into the newsletter, which Ghost permits by default, assuming only administrators can access this powerful function.
For example, the Cisco Talos team leveraged this flaw to inject an XSS (cross-site scripting) object to create an administrator account, triggered when the admin attempts to edit the default newsletter.
Along with the above flaw, the Talos researchers also discovered CVE-2022-41697, a medium severity user enumeration vulnerability in the login functionality of Ghost, allowing an attacker to verify if an email address is associated with a user on the site.
The two vulnerabilities have been addressed by Ghost on the latest version of the CMS, so all admins of websites built on Ghost are recommended to apply the available security update as soon as possible.