CVE-2022-35501 PoC — Amasty Blog 跨站脚本漏洞

Source

https://github.com/afine-com/CVE-2022-35501

Associated Vulnerability

Title:Amasty Blog 跨站脚本漏洞 (CVE-2022-35501)
Description:Amasty Blog是Amasty公司的一个网站页面扩展。 Amasty Blog Pro 2.10.4及之前版本存在安全漏洞，该漏洞源于存储型跨站点脚本。

Description

Stored Cross-site Scripting (XSS) in blog-post creation functionality in Amasty Blog Pro for Magento 2

Readme

# CVE-2022-35501
Stored Cross-site Scripting (XSS) in blog-post creation functionality in Amasty Blog Pro for Magento 2

## Description
The post creation functionality in the Amasty Blog Pro 2.10.3 and 2.10.4 plugin for Magento 2 allows injection of JavaScript code in the `title` field, leading to XSS attacks against admin panel users via duplicate post function, which used the data.title field and executed JavaScript code.

Vulnerable endpoint which is the injection point for the parameter mentioned above:
* POST /admin/amasty_blog/posts/save/key/{some_key}/

## Affected versions
< 2.10.5

## Advisory
Update Amasty Blog Pro for Magento 2 to 2.10.5 or newer.

## References
* https://amasty.com/blog-pro-for-magento-2.html

File Snapshot


 [4.0K]  /data/pocs/b2e457a78ea48ac0d8cdc5f21d19210679a4cc4a
└── [ 731]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!