CVE-2024-34102

Warning

Exploit

EPSS 94.09%
Published 13.06.2024 09:15:10
Last modified 29.11.2024 15:33:14
Source psirt@adobe.com
Teams watchlist Login
Open Login

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.

Affected products Warnungen 1 Metrics 2 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Adobe ≫ Commerce Version2.4.2 Update-

Adobe ≫ Commerce Version2.4.2 Updateext-1

Adobe ≫ Commerce Version2.4.2 Updateext-2

Adobe ≫ Commerce Version2.4.2 Updateext-3

Adobe ≫ Commerce Version2.4.2 Updateext-4

Adobe ≫ Commerce Version2.4.2 Updateext-7

Adobe ≫ Commerce Version2.4.3 Update-

Adobe ≫ Commerce Version2.4.3 Updateext-1

Adobe ≫ Commerce Version2.4.3 Updateext-2

Adobe ≫ Commerce Version2.4.3 Updateext-3

Adobe ≫ Commerce Version2.4.3 Updateext-4

Adobe ≫ Commerce Version2.4.3 Updateext-7

Adobe ≫ Commerce Version2.4.4 Update-

Adobe ≫ Commerce Version2.4.4 Updatep1

Adobe ≫ Commerce Version2.4.4 Updatep2

Adobe ≫ Commerce Version2.4.4 Updatep3

Adobe ≫ Commerce Version2.4.4 Updatep4

Adobe ≫ Commerce Version2.4.4 Updatep5

Adobe ≫ Commerce Version2.4.4 Updatep6

Adobe ≫ Commerce Version2.4.4 Updatep8

Adobe ≫ Commerce Version2.4.5 Update-

Adobe ≫ Commerce Version2.4.5 Updatep1

Adobe ≫ Commerce Version2.4.5 Updatep2

Adobe ≫ Commerce Version2.4.5 Updatep3

Adobe ≫ Commerce Version2.4.5 Updatep4

Adobe ≫ Commerce Version2.4.5 Updatep5

Adobe ≫ Commerce Version2.4.5 Updatep7

Adobe ≫ Commerce Version2.4.6 Update-

Adobe ≫ Commerce Version2.4.6 Updatep1

Adobe ≫ Commerce Version2.4.6 Updatep2

Adobe ≫ Commerce Version2.4.6 Updatep3

Adobe ≫ Commerce Version2.4.6 Updatep5

Adobe ≫ Commerce Version2.4.7 Update-

Adobe ≫ Commerce Webhooks Version >= 1.2.0 < 1.5.0

Adobe ≫ Magento Version2.4.4 Update- SwEditionopen_source

Adobe ≫ Magento Version2.4.4 Updatep1 SwEditionopen_source

Adobe ≫ Magento Version2.4.4 Updatep2 SwEditionopen_source

Adobe ≫ Magento Version2.4.4 Updatep3 SwEditionopen_source

Adobe ≫ Magento Version2.4.4 Updatep4 SwEditionopen_source

Adobe ≫ Magento Version2.4.4 Updatep5 SwEditionopen_source

Adobe ≫ Magento Version2.4.4 Updatep6 SwEditionopen_source

Adobe ≫ Magento Version2.4.4 Updatep7 SwEditionopen_source

Adobe ≫ Magento Version2.4.4 Updatep8 SwEditionopen_source

Adobe ≫ Magento Version2.4.5 Update- SwEditionopen_source

Adobe ≫ Magento Version2.4.5 Updatep1 SwEditionopen_source

Adobe ≫ Magento Version2.4.5 Updatep2 SwEditionopen_source

Adobe ≫ Magento Version2.4.5 Updatep3 SwEditionopen_source

Adobe ≫ Magento Version2.4.5 Updatep4 SwEditionopen_source

Adobe ≫ Magento Version2.4.5 Updatep5 SwEditionopen_source

Adobe ≫ Magento Version2.4.5 Updatep6 SwEditionopen_source

Adobe ≫ Magento Version2.4.5 Updatep7 SwEditionopen_source

Adobe ≫ Magento Version2.4.6 Update- SwEditionopen_source

Adobe ≫ Magento Version2.4.6 Updatep1 SwEditionopen_source

Adobe ≫ Magento Version2.4.6 Updatep2 SwEditionopen_source

Adobe ≫ Magento Version2.4.6 Updatep3 SwEditionopen_source

Adobe ≫ Magento Version2.4.6 Updatep4 SwEditionopen_source

Adobe ≫ Magento Version2.4.6 Updatep5 SwEditionopen_source

Adobe ≫ Magento Version2.4.7 Update- SwEditionopen_source

Adobe ≫ Magento Version2.4.7 Updateb1 SwEditionopen_source

17.07.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability

Vulnerability

Adobe Commerce and Magento Open Source contain an improper restriction of XML external entity reference (XXE) vulnerability that allows for remote code execution.

Description

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	94.09%	0.999

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
psirt@adobe.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

https://helpx.adobe.com/security/products/magento/apsb24-40.html

Vendor Advisory

https://www.vicarius.io/vsociety/posts/cosmicsting-critical-unauthenticated-xxe-vulnerability-in-adobe-commerce-and-magento-cve-2024-34102

Third Party Advisory

Exploit

Technical Description

https://nvd.nist.gov/vuln/detail/CVE-2024-34102

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-34102

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-34102

EUVD