Skip to content
/ CVE-2022-36432 Public

Cross-site Scripting (XSS) in Preview functionality in Amasty Blog Pro for Magento 2

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36432
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

afine-com/CVE-2022-36432

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
README.md
README.md
 
 

Repository files navigation

CVE-2022-36432

Cross-site Scripting (XSS) in Preview functionality in Amasty Blog Pro for Magento 2

Description

The Preview functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 uses eval unsafely. This allows attackers to perform Cross-site Scripting attacks on admin panel users by manipulating the generated preview application response.

The vulnerability is present in blog/view/base/web/js/adminhtml/preview.js file.

In references you can find a similar issue in Magento 2 in which they fixed the problem.

Affected versions

< 2.10.5

Advisory

Update Amasty Blog Pro for Magento 2 to 2.10.5 or newer.

References

About

Cross-site Scripting (XSS) in Preview functionality in Amasty Blog Pro for Magento 2

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36432

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published