Impact
An error in the implementation of the member email change functionality allows unauthenticated users to change the email address of arbitrary member accounts to one they control by crafting a request to the relevant API endpoint, and validating the new address via magic link sent to the new email address.
Ghost(Pro) has already been patched. Self-hosters are impacted if running Ghost a version between 3.18.0 and 4.15.0 with members functionality enabled.
Patches
Fixed in 4.15.1, all 4.x sites should upgrade as soon as possible.
Fixed in 3.42.6, all 3.x sites should upgrade as soon as possible.
Workarounds
The patch in 4.15.1 and 3.42.6 adds a new authenticated endpoint for updating member email addresses. Updating Ghost is the quickest complete solution.
As a workaround, if for any reason you cannot update your Ghost instance, you can block the POST /members/api/send-magic-link/ endpoint, which will also disable member login and signup for your site.
For more information
If you have any questions or comments about this advisory:
Impact
An error in the implementation of the member email change functionality allows unauthenticated users to change the email address of arbitrary member accounts to one they control by crafting a request to the relevant API endpoint, and validating the new address via magic link sent to the new email address.
Ghost(Pro) has already been patched. Self-hosters are impacted if running Ghost a version between 3.18.0 and 4.15.0 with members functionality enabled.
Patches
Fixed in 4.15.1, all 4.x sites should upgrade as soon as possible.
Fixed in 3.42.6, all 3.x sites should upgrade as soon as possible.
Workarounds
The patch in 4.15.1 and 3.42.6 adds a new authenticated endpoint for updating member email addresses. Updating Ghost is the quickest complete solution.
As a workaround, if for any reason you cannot update your Ghost instance, you can block the
POST /members/api/send-magic-link/endpoint, which will also disable member login and signup for your site.For more information
If you have any questions or comments about this advisory: