We’ve been made aware of a security vulnerability in Ghost versions 3.18.0 to 4.15.0. This is patched in 4.15.1 - which has already been released and rolled out on on Ghost(Pro). Self-hosters should update to 4.15.1 (or 3.42.6 for those still on v3) as soon as possible.
Details:
An error in the implementation of the email change functionality for members means that the email address registered to a member’s profile can be changed without their consent.
Ghost instances without members functionality enabled are not affected.
Ghost(Pro):
Ghost(Pro) has already been patched. As Ghost(Pro) is maintained by the Ghost core team, it is always patched immediately when any security incident is reported.
Patch & Workarounds:
The patch in 4.15.1 and 3.42.6 adds a new authenticated endpoint for updating member email addresses. Updating Ghost is the quickest complete solution.
As a workaround, if for any reason you cannot update your Ghost instance, you can block access to the endpoint manually at your edge. For details see advisory.
Disclosure:
Full details of the vulnerability have been published through GitHub Advisories. We’ve also published a notification to all affected sites that will appear in Ghost Admin and shared the details here on the forum. Affected Ghost 4.x versions will also self-notify site owners by email.
We’re grateful to everyone finding and reporting vulnerabilities responsibly following our security policy.