GMS-2021-181: Member account takeover
Impact
An error in the implementation of the member email change functionality allows unauthenticated users to change the email address of arbitrary member accounts to one they control by crafting a request to the relevant API endpoint, and validating the new address via magic link sent to the new email address.
Ghost(Pro) has already been patched. Self-hosters are impacted if running Ghost a version between 3.18.0 and 4.15.0 with members functionality enabled.
Patches
Fixed in 4.15.1, all 4.x sites should upgrade as soon as possible. Fixed in 3.42.6, all 3.x sites should upgrade as soon as possible.
Workarounds
The patch in 4.15.1 and 3.42.6 adds a new authenticated endpoint for updating member email addresses. Updating Ghost is the quickest complete solution.
As a workaround, if for any reason you cannot update your Ghost instance, you can block the POST /members/api/send-magic-link/ endpoint, which will also disable member login and signup for your site.
For more information
If you have any questions or comments about this advisory:
- Email us at security@ghost.org
References
Detect and mitigate GMS-2021-181 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →