CVE-2022-36432

Vulnerability

The Preview functionality in the Amasty Blog Pro plugin versions prior to 2.10.5 for Magento 2 uses eval unsafely in the file blog/view/base/web/js/adminhtml/preview.js. An attacker can inject arbitrary JavaScript code that gets executed when the preview response is processed. This Cross-site Scripting (XSS) vulnerability requires the attacker to have access to the admin panel, where they can manipulate the generated preview application response [1].

Exploitation

An attacker with admin panel access can craft a malicious preview request containing JavaScript payloads. The unsafe eval call in the preview functionality executes the injected code when processing the preview response. No user interaction beyond the admin's normal use of the preview feature is required; the XSS triggers when the admin previews blog content that includes the attacker's payload [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the Magento 2 admin panel. This can lead to theft of admin session cookies, defacement, or further privilege escalation within the Magento instance. The vulnerability is classified as Cross-site Scripting (XSS) with likely high impact on confidentiality, integrity, and availability [1].

Mitigation

Amasty released version 2.10.5 which removes the unsafe eval usage. All users should update to 2.10.5 or later. No workarounds are documented; updating the plugin is the recommended fix [1]. There is no known KEV listing for this CVE.