CVE-2022-41654
published 2022-12-22CVE-2022-41654: An authentication bypass vulnerability exists in the newsletter subscription functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request…
PriorityP335medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
18.91%
96.9th percentile
An authentication bypass vulnerability exists in the newsletter subscription functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to increased privileges. An attacker can send an HTTP request to trigger this vulnerability.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ghost | ghost | >= 4.46.0 < 4.48.8 | 4.48.8 |
| ghost | ghost | >= 4.46.0 < 4.48.8 | 4.48.8 |
| ghost | ghost | >= 5.0.0 < 5.22.7 | 5.22.7 |
| ghost | ghost | >= 5.0.0 < 5.22.7 | 5.22.7 |
| ghost_foundation | ghost | — | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
nvdv3.09.6CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ghost vulnerable to unauthorized newsletter modification via improper access controls
osv·2022-11-28
CVE-2022-41654 [HIGH] ghost vulnerable to unauthorized newsletter modification via improper access controls
ghost vulnerable to unauthorized newsletter modification via improper access controls
### Impact
On sites where members is enabled (this is the default) it is possible for members (unprivileged users) to make changes to newsletter settings. This gives unprivileged users the ability to view and change settings they were not intended to have access to. They are not able to escalate their privileges permanently or get access to further information. This issue was caused by a gap in our API validation for nested objects.
Ghost(Pro) has already been patched. We can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added.
Self-hosters are impacted if running Ghost a version between v4.46.0 and v4.48.7 or any version of v5 prior to v5.22.7. Immediate action
GHSA
ghost vulnerable to unauthorized newsletter modification via improper access controls
ghsa·2022-11-28
CVE-2022-41654 [HIGH] CWE-284 ghost vulnerable to unauthorized newsletter modification via improper access controls
ghost vulnerable to unauthorized newsletter modification via improper access controls
### Impact
On sites where members is enabled (this is the default) it is possible for members (unprivileged users) to make changes to newsletter settings. This gives unprivileged users the ability to view and change settings they were not intended to have access to. They are not able to escalate their privileges permanently or get access to further information. This issue was caused by a gap in our API validation for nested objects.
Ghost(Pro) has already been patched. We can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added.
Self-hosters are impacted if running Ghost a version between v4.46.0 and v4.48.7 or any version of v5 prior to v5.22.7. Immediate action
No detection rules found.
No public exploits indexed.
Checkpoint
26th December – Threat Intelligence Report
blogs_checkpoint·2022-12-26
CVE-2022-41080 26th December – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 26th December – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 26th December, please download our Threat_Intelligence Bulletin
TOP ATTACKS AND BREACHES
LastPass revealed that it has been breached for the second time this year, an event that resulted in attackers stealing customer encrypted password vaults and additional account information. The breach was achieved after attackers used information stolen from the LastPass development environment in the August incident to
Talos
Vulnerability Spotlight: Authentication bypass and enumeration vulnerabilities in Ghost CMS
blogs_talos·2022-12-21·CVSS 4.3
[MEDIUM] Vulnerability Spotlight: Authentication bypass and enumeration vulnerabilities in Ghost CMS
## Vulnerability Spotlight: Authentication bypass and enumeration vulnerabilities in Ghost CMS
Dave McDaniel and other members of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered two vulnerabilities in Ghost CMS, one authentication bypass vulnerability and one enumeration vulnerability.
Ghost is a content management system with tools to build a website, publish content and send newsletters. Ghost offers paid subscriptions to members and supports a number of integrations with external services.
Talos has identified an authentication bypass vulnerability that can lead to increased privileges. TALOS-2022-1624 (CVE-2022-41654) allows external users to update their newsletter preferences too liberally, which could allow a user full access to create and modify ne
Talos
Vulnerability Spotlight: Authentication bypass and enumeration vulnerabilities in Ghost CMS
blogs_talos·2022-12-21·CVSS 4.3
[MEDIUM] Vulnerability Spotlight: Authentication bypass and enumeration vulnerabilities in Ghost CMS
Dave McDaniel and other members of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered two vulnerabilities in Ghost CMS, one authentication bypass vulnerability and one enumeration vulnerability.
Ghost is a content management system with tools to build a website, publish content and send newsletters. Ghost offers paid subscriptions to members and supports a number of integrations with external services.
Talos has identified an authentication bypass vulnerability that can lead to increased privileges. TALOS-2022-1624 (CVE-2022-41654) allows external users to update their newsletter preferences too liberally, which could allow a user full access to create and modify newsletters, including the default sent to all members.
TALOS-2022-1625 (CVE-2022-41697) is an en
2022-12-22
Published