A critical vulnerability in the Ghost CMS newsletter subscription system could allow external users to create newsletters or modify existing ones so that they contain malicious JavaScript.
Such an action could allow threat actors to perform large-scale phishing attacks from normally harmless sites. Furthermore, the injection of JavaScript has been shown to allow XSS vulnerabilities that could enable threat actors to gain full access to a site.
https://www.bleepingcomputer.com/news/s ... pass-flaw/