CVE-2022-35500 - XSS Vulnerability in Amasty Blog 2.10.3’s “Leave Comment” Feature — Explained & Exploited

Cross-Site Scripting (XSS) is still one of the most common and dangerous vulnerabilities found on the web. In this post, we'll break down CVE-2022-35500 — an XSS issue found in Amasty Blog 2.10.3 for Magento. This vulnerability lets attackers inject malicious scripts via the "Leave Comment" feature, potentially compromising your site's users.

This deep dive includes:

References for further reading

By the end, you’ll understand what makes this bug possible and how it can be abused.

What Is Amasty Blog?

Amasty develops extensions for Magento — a popular e-commerce platform. Their Blog module lets store owners manage posts, let users comment, and boost SEO.

The affected version, 2.10.3, is a widely used release. If your store is on this version, you may be at risk.

About CVE-2022-35500

- CVE: CVE-2022-35500

Component: Leave Comment functionality

- Security Impact: Attackers can steal cookies/session, impersonate users, or launch phishing attacks.

Where’s the Bug?

The "Leave Comment" feature (usually under each blog post) takes user-submitted data like name, email, and comment content. The issue: user input is reflected in the page without proper sanitization.

Let’s look at a simplified example. Here’s a part of the code that processes and displays comments:

<?php
// blog_comments.php

$name = $_POST['name']; // user input
$comment = $_POST['comment']; // user input

// ... Database storing logic here ...

// Displaying the comment back to users
echo "<div class='comment'><b>$name</b>: $comment</div>";
?>

What’s wrong?
The script outputs the raw user input directly into the page, with no filtering (htmlspecialchars, strip_tags, or other sanitation missing). This allows attackers to submit HTML and JavaScript.

The Real Exploit Path

The vulnerable endpoint most often is at something like:  
/blog/post/view/id/X/

Form submission includes parameters like name, email, and comment.

Email: alice@example.com

- Comment: <script>alert('XSS by CVE-2022-35500')</script>

Once the comment is posted, anyone viewing the blog entry will see a popup alert (the script executes). In a real hack, the attacker would try to steal user cookies or session information.

Sample PoC (using curl)

curl -X POST "https://target-magentoshop.com/blog/post/view/id/123/"; \
    -d "name=Hacker&email=hacker@example.com&comment=<script>alert('XSS by CVE-2022-35500')</script>"

Deface blog posts or install phishing popups

- Redirect users by injecting malicious links/scripts

If an admin is logged in and views the infected comment, their session can be hijacked — potentially leading to a full site compromise.

How to Fix

Patch and sanitize!

Make sure user-submitted data is never output without proper escaping

echo "<div class='comment'><b>" . htmlspecialchars($name) . "</b>: " . htmlspecialchars($comment) . "</div>";

Update to the latest version of Amasty Blog, and always audit third-party plugins/extensions for XSS issues.

References

- Official CVE Record: CVE-2022-35500
- Amasty Blog Extension
- OWASP XSS Overview
- How to Prevent XSS in PHP

Conclusion

CVE-2022-35500 highlights how simple input sanitization bugs can lead to dangerous XSS attacks. Site owners must act quickly — patch or otherwise secure their Amasty Blog installation, update Magento, and sanitize all user data.

Stay safe, audit your code, and keep learning!

If you want more details about hunting and fixing XSS in Magento plugins, leave a comment below (ironically, only after you’ve patched!).

Timeline

Published on: 11/23/2022 02:15:00 UTC
Last modified on: 11/28/2022 15:26:00 UTC