-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| ghost | npm | >= 6.0.0, <= 6.10.3 | 6.11.0 |
| ghost | npm | >= 5.105.0, <= 5.130.5 | 5.130.6 |
Miggo AIRoot Cause AnalysisThe vulnerability allowed a staff user to bypass the Two-Factor Authentication (2FA) during the login process. This was possible due to a flaw in the session creation logic on the server. The backend endpoint for creating a session (logging in) accepted a parameter called skipEmailVerification. When this parameter was present and set to true in the request, the server would skip the 2FA check and consider the session verified.
The intended purpose of this parameter was to provide a smoother user experience after a password reset, which is an email-verified action. However, the implementation was insecure because the server did not validate the context of the request, allowing the skipEmailVerification parameter to be used in any login attempt, not just after a password reset. An attacker could simply intercept a login request and add this parameter to bypass 2FA for any staff account they had credentials for.
The patch addresses this vulnerability by completely removing the skipEmailVerification logic. It introduces a more secure mechanism where a successful password reset generates a single-use, time-limited One-Time Password (OTP) called emailVerificationToken. This token is then required for the subsequent login to bypass the standard 2FA flow. This ensures that the 2FA bypass is only possible after a legitimate, email-confirmed password reset.
controller.addghost/core/core/server/api/endpoints/session.js
authenticateghost/admin/app/authenticators/cookie.js