Giters

afine-com / CVE-2022-35500

Stored Cross-site Scripting (XSS) in leave comment functionality in Amasty Blog Pro for Magento 2

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CVE-2022-35500

Stored Cross-site Scripting (XSS) in leave comment functionality in Amasty Blog Pro for Magento 2

Description

The leave comment functionality in the Amasty Blog Pro 2.10.3 and 2.10.4 plugin for Magento 2 allows injection of JavaScript code in the AmBlogLeaveComment mutation in name parameter via GraphQL endpoint. The JavaScript code is executed when the victim (administrator) tries to remove the comment from the admin panel.

Affected versions

< 2.10.5

Advisory

Update Amasty Blog Pro for Magento 2 to 2.10.5 or newer.

References

About

Stored Cross-site Scripting (XSS) in leave comment functionality in Amasty Blog Pro for Magento 2