SB2021092710 - Multiple vulnerabilities in Ghost

Description

This security bulletin contains information about 2 vulnerabilities.

1) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to an error in the implementation of the member email change functionality. A remote attacker can change the email address of arbitrary member accounts to one they control.

2) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to take over arbitrary member accounts.

The vulnerability exists due to improper access control in the member email change functionality when handling crafted requests to the relevant API endpoint. A remote attacker can change a member account email address to one they control and validate the new address via a magic link to take over arbitrary member accounts.

Only instances with members functionality enabled are vulnerable.

Remediation

Install update from vendor's website.

References

• https://github.com/TryGhost/Ghost/releases/tag/v4.15.1
• https://github.com/TryGhost/Ghost/security/advisories/GHSA-65p7-pjj8-ggmr
• https://github.com/advisories/GHSA-65p7-pjj8-ggmr