Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-36432 PoC — Magento Open Source 跨站脚本漏洞

Source
https://github.com/afine-com/CVE-2022-36432
Associated Vulnerability
Title:Magento Open Source 跨站脚本漏洞 (CVE-2022-36432)
Description:Magento Open Source是提供基本的电子商务功能,允许您从头开始构建独特的在线商店。 Magento Open Source 的 Amasty Blog Pro 插件存在安全漏洞,该漏洞源于不安全的使用 eval。
Description
Cross-site Scripting (XSS) in Preview functionality in Amasty Blog Pro for Magento 2
Readme
# CVE-2022-36432
Cross-site Scripting (XSS) in Preview functionality in Amasty Blog Pro for Magento 2

## Description

The Preview functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 uses `eval` unsafely. This allows attackers to perform Cross-site Scripting attacks on admin panel users by manipulating the generated preview application response.

The vulnerability is present in `blog/view/base/web/js/adminhtml/preview.js` file.

In references you can find a similar issue in Magento 2 in which they fixed the problem.

## Affected versions
< 2.10.5

## Advisory
Update Amasty Blog Pro for Magento 2 to 2.10.5 or newer.

### References
* https://github.com/magento/magento2/issues/377
* https://amasty.com/blog-pro-for-magento-2.html
File Snapshot

 [4.0K]  /data/pocs/4a4a2438c19561d5d72cb081d7b9a8038849ba10
└── [ 750]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.