Filtered by vendor Amasty
Subscriptions
Total
5 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-53787 | 1 Amasty | 1 Order Attributes For Magento 2 | 2026-06-13 | 9.8 Critical |
| Amasty Order Attributes for Magento 2 before version 4.0.0 contains an unauthenticated arbitrary file upload vulnerability that allows unauthenticated attackers to write arbitrary files to the store's media directory by submitting files of any type or name to the upload endpoint without authentication, session validation, or cart context. Attackers can upload PHP files to achieve remote code execution on servers where the media directory permits PHP execution, or alternatively enable malware hosting, stored cross-site scripting via HTML or SVG uploads, and path traversal to write files outside the intended upload directory. | ||||
| CVE-2022-36432 | 1 Amasty | 1 Blog Pro | 2025-04-30 | 5.4 Medium |
| The Preview functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 uses eval unsafely. This allows attackers to perform Cross-site Scripting attacks on admin panel users by manipulating the generated preview application response. | ||||
| CVE-2022-35501 | 1 Amasty | 1 Blog Pro | 2025-04-28 | 5.4 Medium |
| Stored Cross-site Scripting (XSS) exists in the Amasty Blog Pro 2.10.3 and 2.10.4 plugin for Magento 2 because of the duplicate post function. | ||||
| CVE-2022-35500 | 1 Amasty | 1 Blog Pro | 2025-04-28 | 5.4 Medium |
| Amasty Blog 2.10.3 is vulnerable to Cross Site Scripting (XSS) via leave comment functionality. | ||||
| CVE-2022-36433 | 1 Amasty | 1 Amasty Blog Pro | 2025-04-25 | 6.1 Medium |
| The blog-post creation functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 allows injection of JavaScript code in the short_content and full_content fields, leading to XSS attacks against admin panel users via posts/preview or posts/save. | ||||
Page 1 of 1.