Cisco Talos researchers recently discovered a critical vulnerability in Ghost CMS, a popular open source content management and newsletter subscription system, designated as CVE-2022-41654. The vulnerability has the potential to allow external users (newsletter subscribers) to create newsletters and add malicious JavaScript code to existing ones.
What Is Ghost CMS?
Ghost is an open source Content Management System (CMS) designed for professional bloggers, publications, and online businesses. It is written in JavaScript and is designed to be simple to use, with an easy-to-navigate admin interface and template system. Ghost is available for free and as an open source project, and is used by thousands of websites and applications. The CMS also provides a newsletter subscription system.
CVE-2022-41654 in Ghost CMS: What Has Been Known So Far?
CVE-2022-41654 is an authentication bypass vulnerability that exists in the newsletter subscription functionality of Ghost Foundation Ghost version 5.9.4. A specially-crafted HTTP request can lead to increased privileges, and as a result, an attacker could send an HTTP request to trigger the vulnerability, Cisco Talos said.
Cisco Talos researchers unearthed that an exposed API with an incorrect inclusion of the “newsletter” relationship could give subscribers access to the functionality, thus enabling them to create newsletters or alter existing ones.
The subscription accounts (members) are completely separated from the user accounts used to manage the content of the site and have no further site access outside of a fully unauthenticated user, the researchers said. Furthermore, members accounts do not require any kind of administrative action or approval to create, with members only allowed to update their email address, name and newsletter subscription.
“The /members/api/member/ API endpoint is exposed to allow the user to retrieve/update these fields, but an incorrect inclusion of the newsletter relationship allows a member full access to create and modify newsletters, including the system-wide default newsletter that all members are subscribed to by default,” the report noted.
The other, more serious issue stemming from the CVE-2022-41654 vulnerability is the fact that, by design, Ghost CMS allows Javascript to be injected into the content of the site. Most likely, this is possible because the original intention is for trusted users only to inject JavaScript.
However, as there is at least one field in a newsletter, this permissive model can be leveraged to create a stored XSS in the newsletter object. “As this is more traditional stored XSS, a user with the correct privileges is required to edit the default newsletter to trigger the account creation,” the researchers added.