Security update available for Ghost 4.48.7 and 5.22.6

We have been made aware of a security vulnerability in Ghost 4.x between v4.46.0 and v4.48.8 and Ghost 5.x prior to v5.22.7. This is patched in the latest releases, which have already been rolled out on Ghost(Pro). Self-hosters should update to the latest versions as soon as possible.

Details:

On sites where members is enabled (this is the default) it is possible for members (unprivileged users) to make changes to newsletter settings. This gives unprivileged users the ability to view and change settings they were not intended to have access to. They are not able to escalate their privileges permanently or get access to further information. This issue was caused by a gap in our API validation for nested objects.

Ghost(Pro):

Ghost(Pro) has already been patched. We have investigated and found no evidence that the issue was exploited prior to the patch being added - meaning no customer sites have been compromised. As Ghost(Pro) is maintained by the Ghost core team, it is always patched immediately when any security incident is reported.

Patch & Workarounds:

  • v4.48.8 / v5.22.7 are patched for all known exploits
  • v4.48.9 / v5.24.1 contain deeper fixes to the API to close the potential for this vulnerability to appear elsewhere or regress

As a workaround, if for any reason you cannot update your Ghost instance, you can prevent this exploit by disabling members until an update can be performed.

Disclosure:

Full details of the vulnerability have been published through GitHub Advisories. We’ve also published a notification to all affected sites that will appear in Ghost Admin and shared the details here on the forum.

Credit to Dave McDaniel and other members of Cisco Talos for finding this vulnerability & reporting it responsibly following our security policy.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.