Ghost is a free and open-source CMS for building websites, publishing content, and sending newsletters, used as a speedier and simpler alternative to WordPress.
According to BuiltWith, Ghost is used by approximately 126k websites, with most of them based in the United States, the United Kingdom, and Germany.
The Cisco Talos team discovered the authentication bypass flaw on October 2022, which they tested and confirmed impacted Ghost version 5.9.4. However, it likely affects more versions before and after it.
The flaw is tracked as CVE-2022-41654 and has a CVSS v3 severity score of 9.6, rating it critical.
Newsletter subscribers (members) are external users with no special privileges on the site, so they are only required to provide an email address and become members without administrator approval.
However, Cisco Talos discovered that an exposed API with an incorrect inclusion of the “newsletter” relationship could give subscribers access to that subsystem, allowing them to modify or create newsletters.
This includes the system-wide default newsletter that all members are subscribed to by default, essentially giving the attackers the power to send out any content they wish to all subscribers.
Post-exploitation user object (Cisco Talos)
For example, the Cisco Talos team leveraged this flaw to inject an XSS (cross-site scripting) object to create an administrator account, triggered when the admin attempts to edit the default newsletter.
Example of XSS that creates a new admin account (Cisco Talos)
Along with the above flaw, the Talos researchers also discovered CVE-2022-41697, a medium severity user enumeration vulnerability in the login functionality of Ghost, allowing an attacker to verify if an email address is associated with a user on the site.
The two vulnerabilities have been addressed by Ghost on the latest version of the CMS, so all admins of websites built on Ghost are recommended to apply the available security update as soon as possible.