Critical authentication bypass flaw in Ghost CMS makes Ghost CMS vulnerable

An external user could create or alter Ghost CMS newsletters to contain malicious JavaScript by exploiting a critical flaw in Ghost CMS’ subscription system.

This could enable threat actors to launch large-scale attacks on normally innocent sites by injecting JavaScript. Furthermore, JavaScript injection has been proven to enable XSS vulnerabilities which could allow threat actors full access to a website.

Ghost, a free, open-source CMS, is used to build websites, publish content and send newsletters. It’s a faster and more simple alternative to WordPress.

reports that Ghost is used on approximately 126k websites. Most of these sites are located in the United States and the United Kingdom.

Remotely targeted

On October 20, 22nd, the Cisco Talos team found an authentication bypass flaw. They tested it and determined that Ghost 5.9.4 was affected. It is likely to affect other versions as well.

This flaw has been identified as . It is rated critical by CVSS v3.

Subscribers to the newsletter (members), are users who are not granted any special privileges. They are required only to enter an email address in order for them become members.

Cisco Talos found that subscribers could have access to the subsystem via an API that had been incorrectly added to the “newsletter relationship”. This would allow them to create and modify newsletters.

The system-wide default newsletter is subscribed by all members. This gives attackers complete control over sending out whatever content they want to subscribers.

Post-exploitation user object

(Cisco Talos)

Another problem is that you can insert JavaScript in your newsletter. Ghost allows this by default. Administrators are not allowed to access this feature.

Cisco Talos’ team used this flaw, for example, to insert an XSS object (cross-site scripting), to create administrator accounts. This is triggered by the admin trying to modify the default newsletter.

Example of XSS that creates a new admin account

(Cisco Talos)

The flaw was not the only one discovered by the Talos researchers. is a vulnerability that allows an attacker to check if an email address has been associated with an account on Ghost’s login functionality.

Ghost has fixed these vulnerabilities in the most recent version of its CMS. Administrators of Ghost-based websites are advised to install the security update immediately.