ClickCease Vulnerabilities found in Ghost Newsletter system

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Vulnerabilities found in Ghost Newsletter system

Obanla Opeyemi

January 3, 2023 - TuxCare expert team

According to Cisco Talos, two vulnerabilities in the Ghost CMS newsletter subscription system, CVE-2022-41654, and CVE-2022-41697, exist in the newsletter subscription functionality of Ghost Foundation Ghost 5.9.4.

External users can exploit the vulnerabilities to create new newsletters or modify existing ones. External actors can also create newsletters or modify existing ones by injecting malicious JavaScript into them.

The authentication bypass vulnerability, tracked as CVE-2022-41654 (CVSS score: 9.6) and CVE-2022-41697, allows unprivileged users to make unauthorized changes to newsletter settings.

For CVE-2022-41654, it allows members (unprivileged users) to change newsletter settings on sites where members are enabled by default. This allows unprivileged users to view and change settings that they were not supposed to have access to. They are unable to permanently escalate their privileges or gain access to additional information. This problem was caused by a flaw in nested object API validation.

Another issue stemming from the same flaw is the ability to inject JavaScript into the newsletter, which Ghost allows by default, assuming only administrators have access to this powerful function. This was revealed when Cisco Talos team exploited this flaw to inject an XSS (cross-site scripting) object into the system, which was triggered when the administrator attempted to edit the default newsletter.

CVE-2022-41697, on the other hand, allows a specially-crafted HTTP request to lead to increased privileges. An attacker can exploit this vulnerability by sending an HTTP request. The use of an unknown input results in an access control vulnerability. CWE-284 results from using CWE to declare the problem. The software does not restrict or incorrectly restricts unauthorized actor access to a resource. Confidentiality, integrity, and availability are all jeopardized.

Ghost has patched the two vulnerabilities in the most recent version of the CMS.

The sources for this piece include an article in BleepingComputer.

Summary
 Vulnerabilities found in Ghost Newsletter system
Article Name
Vulnerabilities found in Ghost Newsletter system
Description
Researchers have uncovered two vulnerabilities in the Ghost CMS newsletter subscription system, CVE-2022-41654, and CVE-2022-41697.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

How GPT models can be...

According to CyberArk researchers, GPT-based models like ChatGPT can be...

January 30, 2023

Attackers actively exploit Unpatched Control...

Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...

January 27, 2023

Attackers distribute malware via malicious...

Deep Instinct researchers reported that RATs like StrRAT and Ratty...

January 26, 2023

CircleCI partners AWS to identify...

According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...

January 25, 2023

Cisco warns of authentication bypass...

A remote attacker could exploit multiple vulnerabilities in four Cisco...

January 24, 2023

IceID malware infiltrates Active Directory...

In a notable IcedID malware attack, the assailant impacted the...

January 23, 2023