Ghost Staff Token Authorization Bypass Vulnerability Allowing Endpoint Access

A vulnerability exists in Ghost, a Node.js content management system, specifically in versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3. The issue arises from improper handling of Staff Token authentication, which allowed access to certain endpoints meant only for Staff Session authentication. This flaw could be exploited by external systems authenticated with Staff Tokens for Admin or Owner-role users, granting them access to restricted endpoints. The vulnerability has been patched in Ghost versions 5.130.6 and 6.11.0.

Impact

Exploitation of this vulnerability could lead to unauthorized access to admin endpoints, allowing staff tokens to delete all content or transfer site ownership.

Reproduction

The vulnerability can be reproduced by sending requests to the '/db' or '/users/owner' endpoints using a staff token that does not include a trailing slash. This bypasses the security check that expects a trailing slash, allowing the staff token to perform actions such as deleting all content or transferring site ownership.

Remediation

Users can upgrade to Ghost versions 5.130.6 or 6.11.0 to address this vulnerability.