JavaScript Injection Vulnerability in Amasty Blog Pro for Magento 2
CVE-2022-36433

6.1MEDIUM

Key Information:

Vendor: Amasty
Status: Amasty Blog Pro
Vendor: CVE Published:; 29 November 2022

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2022-36433?

The Amasty Blog Pro plugin for Magento 2, specifically version 2.10.3, contains a vulnerability that allows attackers to inject JavaScript code through the blog post creation functionality. By manipulating the short_content and full_content fields, the injected code can execute XSS attacks on users accessing the admin panel through post previews or during the saving process. This presents a significant security risk for websites using this plugin, compromising the integrity of the admin interface.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-36433
Created by afine-com

References

https://weglow.ski

https://github.com/afine-com/CVE-2022-36433

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 29, 2022
🟡
Public PoC available
Oct 24, 2022
👾
Exploit known to exist
Oct 24, 2022
Vulnerability Reserved
Jul 25, 2022

CVE-2022-36433 Data

JSON