CVE-2022-35501 Stored XSS exists in the Amasty Blog Pro 2.10.3 and 2.10.4 plugin for Magento 2 due to the duplicate post function.

There are two options in the publishing menu for adding new posts to your site. The recommended option is to choose Add New Post from the menu. The second option is Add New Post from Scratch. If you choose this option, you will see a warning message as shown in the screenshot below. This is a known issue with the Amasty Blog Pro 2.10.3 and 2.10.4 plugin and is being actively worked on. We recommend not publishing through this option. If you choose to publish through this option, the issue with XSS will be present in your published blog post.

The issue with XSS in the Amasty Blog Pro plugin for Magento 2 is due to the duplicate posts function. In the Amasty Blog Pro plugin for Magento 2, there are two options for publishing your new blog posts. The recommended option is to choose Add New Post from the menu. The second option is Add New Post from Scratch. If you choose this option, you will see a warning message as shown in the screenshot below. This is a known issue with the Amasty Blog Pro 2.10.3 and 2.10.4 plugin and is being actively worked on. We recommend not publishing through this option. If you choose to publish through this option, the issue with XSS will be present in your published blog post.

Pro Tips for Keeping Your Online Presence Safe

For starters, it's important to always have a strong password for your site. This can be done by installing a free password manager like LastPass or 1Password. It is also important to keep tabs on the security of your site's plugins and themes. The creators of these extensions are constantly updating them to help protect you from potential hackers, but it is still necessary to stay on top of this process. Another great way to ensure that your online presence stays safe is to use the different Google services that are available in Magento. They allow you to see what type of threats are present on your site and how they are performing so you can make changes accordingly. For example, Google recommends that you check for any malicious links in your posts and make sure that the URL does not contain certain characters like "!@#$%^&*()" as these will attract unwanted attention from spammers and hackers. This will help to prevent any future incidents with XSS and other hacking attempts. Lastly, it’s good practice to regularly update your plugins and themes so they continue to perform optimally without breaking anything too important.

How to fix XSS in the Amasty Blog Pro plugin for Magento 2?

You can fix the issue by taking these steps:
1) Download and install the latest version of the Amasty Blog Pro plugin for Magento 2
2) Visit your blog and login to your site.
3) Delete all existing posts under News > Posts > All
4) Create a new post with the title "New Post" and publish.

The Blog Post With the XSS Issue is Published and Viewed on a Different Domain

If you publish a blog post with the XSS issue using the Amasty Blog Pro plugin for Magento 2 Add New Post from Scratch option, the blog post is published to your site and can be viewed on a different domain. For example, if your blog name is "AmastySEO.com" and you have not changed the default setting of "www." in your settings.xml file, then when you publish a blog post with the XSS issue through Add New Post from Scratch, that blog post will be published to "amastysEO.com".
The issue with XSS in the Amasty Blog Pro plugin for Magento 2 is due to this functionality. In the Amasty Blog Pro plugin for Magento 2, there are two options for publishing your new blog posts. The recommended option is to choose Add New Post from the menu. The second option is Add New Post from Scratch. If you choose this option, you will see a warning message as shown in the screenshot below. This is a known issue with the Amasty Blog Pro 2.10.3 and 2.10.4 plugin and is being actively worked on by our development team

How to Avoid XSS in Amasty Blog Pro for Magento 2

The issue with XSS in the Amasty Blog Pro plugin for Magento 2 is due to the duplicate posts function. In the Amasty Blog Pro plugin for Magento 2, there are two options for publishing your new blog posts. The recommended option is to choose Add New Post from the menu. The second option is Add New Post from Scratch. If you choose this option, you will see a warning message as shown in the screenshot below. This is a known issue with the Amasty Blog Pro 2.10.3 and 2.10.4 plugin and is being actively worked on. We recommend not publishing through this option. If you choose to publish through this option, the issue with XSS will be present in your published blog post.

Timeline

Published on: 11/23/2022 17:15:00 UTC
Last modified on: 11/28/2022 18:14:00 UTC

References