CVE-2022-35501

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Amasty Blog Pro versions 2.10.3 and 2.10.4 for Magento 2 [2]. The vulnerability resides in the blog post creation functionality, specifically in the title field of the POST /admin/amasty_blog/posts/save/key/{some_key}/ endpoint [2]. When an administrator duplicates an existing blog post, the data.title field is used without proper sanitization, causing JavaScript code previously injected into the title to execute [2].

Exploitation

An attacker with administrative access to the Magento admin panel can create or modify a blog post with malicious JavaScript code in the title field [2]. When another administrator uses the duplicate post function, the injected script executes in the context of the admin panel [2]. No special network position or additional user interaction beyond the standard duplicate action is required [2].

Impact

Successful exploitation results in stored cross-site scripting (XSS) in the admin panel [2]. The attacker can execute arbitrary JavaScript in the victim administrator's browser, potentially leading to session hijacking, defacement, or unauthorized actions within the Magento backend [2].

Mitigation

The vulnerability is fixed in Amasty Blog Pro version 2.10.5 or newer [2]. Users should update the plugin to the latest version from the official Amasty marketplace or website [1]—[2]. No workarounds are documented in the available references [2].