ClickCease Vulnerabilities found in Ghost Newsletter system

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Vulnerabilities found in Ghost Newsletter system

January 3, 2023 - TuxCare PR Team

According to Cisco Talos, two vulnerabilities in the Ghost CMS newsletter subscription system, CVE-2022-41654, and CVE-2022-41697, exist in the newsletter subscription functionality of Ghost Foundation Ghost 5.9.4.

External users can exploit the vulnerabilities to create new newsletters or modify existing ones. External actors can also create newsletters or modify existing ones by injecting malicious JavaScript into them.

The authentication bypass vulnerability, tracked as CVE-2022-41654 (CVSS score: 9.6) and CVE-2022-41697, allows unprivileged users to make unauthorized changes to newsletter settings.

For CVE-2022-41654, it allows members (unprivileged users) to change newsletter settings on sites where members are enabled by default. This allows unprivileged users to view and change settings that they were not supposed to have access to. They are unable to permanently escalate their privileges or gain access to additional information. This problem was caused by a flaw in nested object API validation.

Another issue stemming from the same flaw is the ability to inject JavaScript into the newsletter, which Ghost allows by default, assuming only administrators have access to this powerful function. This was revealed when Cisco Talos team exploited this flaw to inject an XSS (cross-site scripting) object into the system, which was triggered when the administrator attempted to edit the default newsletter.

CVE-2022-41697, on the other hand, allows a specially-crafted HTTP request to lead to increased privileges. An attacker can exploit this vulnerability by sending an HTTP request. The use of an unknown input results in an access control vulnerability. CWE-284 results from using CWE to declare the problem. The software does not restrict or incorrectly restricts unauthorized actor access to a resource. Confidentiality, integrity, and availability are all jeopardized.

Ghost has patched the two vulnerabilities in the most recent version of the CMS.

The sources for this piece include an article in BleepingComputer.

 Vulnerabilities found in Ghost Newsletter system
Article Name
Vulnerabilities found in Ghost Newsletter system
Researchers have uncovered two vulnerabilities in the Ghost CMS newsletter subscription system, CVE-2022-41654, and CVE-2022-41697.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter