POC详情: 4a4a2438c19561d5d72cb081d7b9a8038849ba10

来源
https://github.com/afine-com/CVE-2022-36432
关联漏洞
标题: Magento Open Source 跨站脚本漏洞 (CVE-2022-36432)
描述:Magento Open Source是提供基本的电子商务功能,允许您从头开始构建独特的在线商店。 Magento Open Source 的 Amasty Blog Pro 插件存在安全漏洞,该漏洞源于不安全的使用 eval。
描述
Cross-site Scripting (XSS) in Preview functionality in Amasty Blog Pro for Magento 2
介绍
# CVE-2022-36432
Cross-site Scripting (XSS) in Preview functionality in Amasty Blog Pro for Magento 2

## Description

The Preview functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 uses `eval` unsafely. This allows attackers to perform Cross-site Scripting attacks on admin panel users by manipulating the generated preview application response.

The vulnerability is present in `blog/view/base/web/js/adminhtml/preview.js` file.

In references you can find a similar issue in Magento 2 in which they fixed the problem.

## Affected versions
< 2.10.5

## Advisory
Update Amasty Blog Pro for Magento 2 to 2.10.5 or newer.

### References
* https://github.com/magento/magento2/issues/377
* https://amasty.com/blog-pro-for-magento-2.html
文件快照

 [4.0K]  /data/pocs/4a4a2438c19561d5d72cb081d7b9a8038849ba10
└── [ 750]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。