Select Page

Cybersecurity researchers have detailed two security flaws in the JavaScript-based blogging platform known as Ghost, one of which could be abused to elevate privileges via specially crafted HTTP requests.

Ghost is an open source blogging platform that’s used in more than 52,600 live websites, most of them located in the U.S., the U.K., German, China, France, Canada, and India.

Tracked as CVE-2022-41654 (CVSS score: 9.6), the authentication bypass vulnerability allows unprivileged users (i.e., members) to make unauthorized modifications to newsletter settings.

Cisco Talos, which discovered the shortcoming, said it could enable a member to change the system-wide default newsletter that all users are subscribed to by default.

Even worse, the ability of a site administrator to inject JavaScript into the newsletter by default could be exploited to trigger the creation of arbitrary administrator accounts when attempting to edit the newsletter.

images from Hacker News