Ghost, a free, open-source CMS, is used to build websites, publish content and send newsletters. It’s a faster and more simple alternative to WordPress.
reports that Ghost is used on approximately 126k websites. Most of these sites are located in the United States and the United Kingdom.
On October 20, 22nd, the Cisco Talos team found an authentication bypass flaw. They tested it and determined that Ghost 5.9.4 was affected. It is likely to affect other versions as well.
This flaw has been identified as . It is rated critical by CVSS v3.
Subscribers to the newsletter (members), are users who are not granted any special privileges. They are required only to enter an email address in order for them become members.
Cisco Talos found that subscribers could have access to the subsystem via an API that had been incorrectly added to the “newsletter relationship”. This would allow them to create and modify newsletters.
The system-wide default newsletter is subscribed by all members. This gives attackers complete control over sending out whatever content they want to subscribers.
Cisco Talos’ team used this flaw, for example, to insert an XSS object (cross-site scripting), to create administrator accounts. This is triggered by the admin trying to modify the default newsletter.
The flaw was not the only one discovered by the Talos researchers. is a vulnerability that allows an attacker to check if an email address has been associated with an account on Ghost’s login functionality.
Ghost has fixed these vulnerabilities in the most recent version of its CMS. Administrators of Ghost-based websites are advised to install the security update immediately.