CVE-2022-36433 PoC — Amasty Blog 跨站脚本漏洞

Source

https://github.com/afine-com/CVE-2022-36433

Associated Vulnerability

Title:Amasty Blog 跨站脚本漏洞 (CVE-2022-36433)
Description:Amasty Blog是Amasty公司的一个网站页面扩展。 Amasty Blog Pro for Magento 2.10.5之前版本存在安全漏洞，该漏洞源于博客文章创建功能允许在short_content和full_content字段中注入JavaScript代码，从而导致对管理面板用户进XSS攻击。

Description

Cross-site Scripting (XSS) in blog-post creation functionality in Amasty Blog Pro for Magento 2

Readme

# CVE-2022-36433
Cross-site Scripting (XSS) in blog-post creation functionality in Amasty Blog Pro for Magento 2

## Description
The blog-post creation functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 allows injection of JavaScript code in the `short_content` and `full_content` fields, leading to XSS attacks against admin panel users via posts/preview or posts/save.

Vulnerable endpoints which are the injection points for the parameters mentioned above:
* POST /admin/amasty_blog/posts/preview/key/{some_key}/?isAjax=true
* POST /admin/amasty_blog/posts/save/key/{some_key}/back/edit

## Affected versions
< 2.10.5

## Advisory
Update Amasty Blog Pro for Magento 2 to 2.10.5 or newer.

## References
* https://amasty.com/blog-pro-for-magento-2.html

File Snapshot


 [4.0K]  /data/pocs/5989dc48e8b36707e1b7257b3809953d319d4b58
└── [ 769]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!