Skip to content

Member account takeover

Moderate severity GitHub Reviewed Published Sep 23, 2021 in TryGhost/Ghost • Updated Jan 9, 2023

Package

npm ghost (npm)

Affected versions

>= 3.18.0, < 3.42.6
>= 4.0.0, < 4.15.1

Patched versions

3.42.6
4.15.1

Description

Impact

An error in the implementation of the member email change functionality allows unauthenticated users to change the email address of arbitrary member accounts to one they control by crafting a request to the relevant API endpoint, and validating the new address via magic link sent to the new email address.

Ghost(Pro) has already been patched. Self-hosters are impacted if running Ghost a version between 3.18.0 and 4.15.0 with members functionality enabled.

Patches

Fixed in 4.15.1, all 4.x sites should upgrade as soon as possible.
Fixed in 3.42.6, all 3.x sites should upgrade as soon as possible.

Workarounds

The patch in 4.15.1 and 3.42.6 adds a new authenticated endpoint for updating member email addresses. Updating Ghost is the quickest complete solution.

As a workaround, if for any reason you cannot update your Ghost instance, you can block the POST /members/api/send-magic-link/ endpoint, which will also disable member login and signup for your site.

For more information

If you have any questions or comments about this advisory:

References

@matthanley matthanley published to TryGhost/Ghost Sep 23, 2021
Reviewed Sep 23, 2021
Published to the GitHub Advisory Database Sep 23, 2021
Last updated Jan 9, 2023

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-65p7-pjj8-ggmr

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.