Ghost SQL Injection Vulnerability in Admin API Members Events Endpoint

A SQL injection vulnerability has been identified in the Ghost content management system, specifically in versions 5.90.0 prior to 5.130.5 and 6.0.0 prior to 6.10.3. The vulnerability exists in the '/ghost/api/admin/members/events' endpoint, where authenticated users with Admin API credentials can execute arbitrary SQL. This issue arises because the endpoint does not properly validate the 'postId' parameter, allowing for the injection of malicious SQL strings.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, which could be used to manipulate the database, such as altering or deleting data, or potentially executing additional attacks such as SQL injection-based privilege escalation or code execution, depending on the application's database handling.

Reproduction

To reproduce this vulnerability, send a request to the '/ghost/api/admin/members/events' endpoint with an injected SQL payload in the 'data.post_id' field of the request filter. The injection can be crafted to manipulate the SQL query executed by the application, taking advantage of the lack of proper validation on the 'postId' parameter.

Remediation

Users can upgrade to Ghost versions 5.130.6 or 6.11.0, both of which include the necessary patch to address this vulnerability.