Stored Cross-site Scripting (XSS) in leave comment functionality in Amasty Blog Pro for Magento 2
The leave comment functionality in the Amasty Blog Pro 2.10.3 and 2.10.4 plugin for Magento 2 allows injection of JavaScript code in the AmBlogLeaveComment
mutation in name
parameter via GraphQL endpoint. The JavaScript code is executed when the victim (administrator) tries to remove the comment from the admin panel.
< 2.10.5
Update Amasty Blog Pro for Magento 2 to 2.10.5 or newer.