What Is Ghost CMS?
CVE-2022-41654 in Ghost CMS: What Has Been Known So Far?
CVE-2022-41654 is an authentication bypass vulnerability that exists in the newsletter subscription functionality of Ghost Foundation Ghost version 5.9.4. A specially-crafted HTTP request can lead to increased privileges, and as a result, an attacker could send an HTTP request to trigger the vulnerability, Cisco Talos said.
Cisco Talos researchers unearthed that an exposed API with an incorrect inclusion of the “newsletter” relationship could give subscribers access to the functionality, thus enabling them to create newsletters or alter existing ones.
The subscription accounts (members) are completely separated from the user accounts used to manage the content of the site and have no further site access outside of a fully unauthenticated user, the researchers said. Furthermore, members accounts do not require any kind of administrative action or approval to create, with members only allowed to update their email address, name and newsletter subscription.
“The /members/api/member/ API endpoint is exposed to allow the user to retrieve/update these fields, but an incorrect inclusion of the newsletter relationship allows a member full access to create and modify newsletters, including the system-wide default newsletter that all members are subscribed to by default,” the report noted.
However, as there is at least one field in a newsletter, this permissive model can be leveraged to create a stored XSS in the newsletter object. “As this is more traditional stored XSS, a user with the correct privileges is required to edit the default newsletter to trigger the account creation,” the researchers added.