Vulnerabilities found in Ghost Newsletter system
According to Cisco Talos, two vulnerabilities in the Ghost CMS newsletter subscription system, CVE-2022-41654, and CVE-2022-41697, exist in the newsletter subscription functionality of Ghost Foundation Ghost 5.9.4.
External users can exploit the vulnerabilities to create new newsletters or modify existing ones. External actors can also create newsletters or modify existing ones by injecting malicious JavaScript into them.
The authentication bypass vulnerability, tracked as CVE-2022-41654 (CVSS score: 9.6) and CVE-2022-41697, allows unprivileged users to make unauthorized changes to newsletter settings.
For CVE-2022-41654, it allows members (unprivileged users) to change newsletter settings on sites where members are enabled by default. This allows unprivileged users to view and change settings that they were not supposed to have access to. They are unable to permanently escalate their privileges or gain access to additional information. This problem was caused by a flaw in nested object API validation.
Another issue stemming from the same flaw is the ability to inject JavaScript into the newsletter, which Ghost allows by default, assuming only administrators have access to this powerful function. This was revealed when Cisco Talos team exploited this flaw to inject an XSS (cross-site scripting) object into the system, which was triggered when the administrator attempted to edit the default newsletter.
CVE-2022-41697, on the other hand, allows a specially-crafted HTTP request to lead to increased privileges. An attacker can exploit this vulnerability by sending an HTTP request. The use of an unknown input results in an access control vulnerability. CWE-284 results from using CWE to declare the problem. The software does not restrict or incorrectly restricts unauthorized actor access to a resource. Confidentiality, integrity, and availability are all jeopardized.
Ghost has patched the two vulnerabilities in the most recent version of the CMS.
The sources for this piece include an article in BleepingComputer.


