CVE-2022-35500

MEDIUM

Amasty Blog 2.10.3 - Cross-Site Scripting via Leave Comment Functionality

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-35500. PoCs published by afine-com.

AI-analyzed exploit summary The repository describes a stored XSS vulnerability in Amasty Blog Pro for Magento 2, where JavaScript can be injected via the `name` parameter in the `AmBlogLeaveComment` GraphQL mutation. The payload executes when an administrator attempts to remove the comment.

Description

Amasty Blog 2.10.3 is vulnerable to Cross Site Scripting (XSS) via leave comment functionality.

Exploits (1)

nomisec WRITEUP 1 stars

by afine-com · poc

https://github.com/afine-com/CVE-2022-35500

View Code ZIP pw:eip

The repository describes a stored XSS vulnerability in Amasty Blog Pro for Magento 2, where JavaScript can be injected via the `name` parameter in the `AmBlogLeaveComment` GraphQL mutation. The payload executes when an administrator attempts to remove the comment.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Amasty Blog Pro for Magento 2 < 2.10.5

No auth needed

Prerequisites: Access to the GraphQL endpoint of a vulnerable Amasty Blog Pro instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Product

http://amasty.com

Third Party Advisory

https://github.com/afine-com/CVE-2022-35500

Scores

CVSS v3 5.4

EPSS 0.0050

EPSS Percentile 38.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

amasty/blog_pro 2.10.3

Published Nov 23, 2022

Tracked Since Feb 18, 2026