Cross-Site Scripting Vulnerability in Amasty Blog Pro for Magento 2
CVE-2022-36432

5.4MEDIUM

Key Information:

Vendor: Amasty
Status: Blog Pro
Vendor: CVE Published:; 17 November 2022

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2022-36432?

The Amasty Blog Pro plugin for Magento 2 includes a vulnerability in its preview functionality due to improper use of the eval function. This weakness enables attackers to inject malicious scripts, potentially compromising admin panel security by executing arbitrary code in the context of the admin user, thereby jeopardizing sensitive administrative tasks and data.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-36432
Created by afine-com

References

https://github.com/afine-com/CVE-2022-36432

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 17, 2022
🟡
Public PoC available
Oct 24, 2022
👾
Exploit known to exist
Oct 24, 2022
Vulnerability Reserved
Jul 25, 2022

CVE-2022-36432 Data

JSON