HQ/EMEAFind out how we can help your business
The Ghost CMS newsletter subscription system could enable external users to develop newsletters or alter existing ones due to a critical vulnerability. Researchers noted that this vulnerability could have a massive impact on the system since malicious users could deploy compromised JavaScript payloads.
Moreover, these instances could enable threat actors to run widespread phishing campaigns from harmless websites. The launching of JavaScript has shown that it could allow XXS flaws that provide hackers full access to a website.
A research team found the authentication bypass flaw a couple of months ago. They tested and confirmed the flaw after successfully compromising the Ghost version 5[.]9[.]4. Unfortunately, the researchers claimed that the flaw could affect more previous versions of the entity.
The Ghost CMS flaw has a severity score of 9.6, which is critical.
The vulnerability in the Ghost CMS is tracked as CVE-2022-41654. The newsletter subscribers are external users that do not have special privileges on the website. Hence, there are only required to give an email address and become part of the entity without admin approval.
Unfortunately, the researchers found out that an exposed API with a misconfigured inclusion of the relationship could provide subscribers access to the Ghost SMS subsystem. This issue could allow subscribers to modify or develop newsletters.
The system-wide default newsletter that all users are subscribed to by default could essentially give an attacker the ability to deploy any content they wish to all members.
Furthermore, a second issue is happening from the same vulnerability. This additional flaw is the ability to inject JavaScript into the newsletter, which Ghost CMS automatically allows since it assumes that only admins can access the function.
The researchers also discovered a medium-severity user enumeration flaw in the login functionality. The flaw tracked as CVE-2022-41607 could allow an attacker to verify if an email relates to a user on the website.
Experts suggest that admins of Ghost CMS websites should apply the available security updates immediately to avoid getting attacked by threat actors who have started exploiting the two earlier-mentioned vulnerabilities.
