CVE-2022-41654

Name of the Vulnerable Software and Affected Versions Ghost Foundation Ghost versions 4.46.0 through 4.48.7 Ghost Foundation Ghost versions 5.0.0 through 5.22.6 Ghost Foundation Ghost version 5.9.4

Description An authentication bypass vulnerability exists in the newsletter subscription functionality. A specially-crafted HTTP request can lead to increased privileges. This issue was caused by a gap in API validation for nested objects, allowing unprivileged users to make changes to newsletter settings and view or change settings they were not intended to have access to.

Recommendations For Ghost Foundation Ghost versions 4.46.0 through 4.48.7, update to version 4.48.8 or later. For Ghost Foundation Ghost versions 5.0.0 through 5.22.6, update to version 5.22.7 or later. For Ghost Foundation Ghost version 5.9.4, update to a newer version that contains a fix for this issue. As a temporary workaround, consider disabling members until an update can be performed.