Ghost 2FA Bypass Vulnerability for Staff Users

A vulnerability exists in Ghost's two-factor authentication (2FA) process, specifically allowing staff users to bypass email verification. This issue is present in Ghost versions 5.105.0 through 5.130.5, as well as 6.0.0 through 6.10.3. The vulnerability arises from the session creation endpoint, which previously accepted a 'skipEmailVerification' property. While this was intended to facilitate the 2FA process after a password reset, it inadvertently allowed any user to manually bypass 2FA during regular login. Exploitation could be done by adding a token to the session creation request, effectively skipping the 2FA requirement.

Impact

Bypassing the 2FA mechanism for staff users, which could lead to unauthorized access or actions that require elevated privileges.

Reproduction

To reproduce this vulnerability, first log in as a staff user and initiate a password reset. After resetting the password, use the 'emailVerificationToken' received to bypass 2FA when creating a session. This can be done by manually adding the token to the session creation request, effectively skipping the 2FA verification step.

Remediation

Users can update to Ghost versions 5.130.6 or 6.11.0, both of which include the necessary fix to address this vulnerability.