We’ve been made aware of a security vulnerability in Ghost versions 3.18.0 to 4.15.0. This is patched in 4.15.1 - which has already been released and rolled out on on Ghost(Pro). Self-hosters should update to 4.15.1 (or 3.42.6 for those still on v3) as soon as possible.

Details:

An error in the implementation of the email change functionality for members means that the email address registered to a member’s profile can be changed without their consent.

Ghost instances without members functionality enabled are not affected.

Ghost(Pro):

Ghost(Pro) has already been patched. As Ghost(Pro) is maintained by the Ghost core team, it is always patched immediately when any security incident is reported.

Patch & Workarounds:

The patch in 4.15.1 and 3.42.6 adds a new authenticated endpoint for updating member email addresses. Updating Ghost is the quickest complete solution.

As a workaround, if for any reason you cannot update your Ghost instance, you can block access to the endpoint manually at your edge. For details see advisory.

Disclosure:

Full details of the vulnerability have been published through GitHub Advisories. We’ve also published a notification to all affected sites that will appear in Ghost Admin and shared the details here on the forum. Affected Ghost 4.x versions will also self-notify site owners by email.

We’re grateful to everyone finding and reporting vulnerabilities responsibly following our security policy.

Hi thanks for the update & i receive notification. How do I update this on my terminal?

change to Ghost installation directory

$ cd /var/www/webroot_name
$ ghost update
$ ghost -v

There used to be an “About Ghost” where we could see which version we were running, and whether an update is required. Has that been removed or moved?

It was quite useful.

It moved to the What’s New section :)

Cool! I don’t know how i missed that!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.