关联漏洞
Description
Cross-site Scripting (XSS) in Preview functionality in Amasty Blog Pro for Magento 2
介绍
# CVE-2022-36432
Cross-site Scripting (XSS) in Preview functionality in Amasty Blog Pro for Magento 2
## Description
The Preview functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 uses `eval` unsafely. This allows attackers to perform Cross-site Scripting attacks on admin panel users by manipulating the generated preview application response.
The vulnerability is present in `blog/view/base/web/js/adminhtml/preview.js` file.
In references you can find a similar issue in Magento 2 in which they fixed the problem.
## Affected versions
< 2.10.5
## Advisory
Update Amasty Blog Pro for Magento 2 to 2.10.5 or newer.
### References
* https://github.com/magento/magento2/issues/377
* https://amasty.com/blog-pro-for-magento-2.html
文件快照
[4.0K] /data/pocs/4a4a2438c19561d5d72cb081d7b9a8038849ba10
└── [ 750] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →