⚠ Actively exploited
Added to CISA KEV on 2024-07-17. Federal agencies required to patch by 2024-08-07. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..
CVE-2024-34102
Severity
9.8CRITICAL
EPSS
94.1%
top 0.09%
CISA KEV
KEV
Added 2024-07-17
Due 2024-08-07
Exploit
Exploited in wild
Active exploitation observed
Timeline
PublishedJun 13
KEV addedJul 17
KEV dueAug 7
Latest updateOct 3
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Description
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages5 packages
🔴Vulnerability Details
4OSV▶
Magento Open Source affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability↗2024-06-13
GHSA▶
Magento Open Source affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability↗2024-06-13
VulnCheck▶
Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability↗2024
💥Exploits & PoCs
2Metasploit▶
CosmicSting: Magento Arbitrary File Read (CVE-2024-34102) + PHP Buffer Overflow in the iconv() function of glibc (CVE-2024-2961)↗
Nuclei▶
Adobe Commerce & Magento - CosmicSting
🔍Detection Rules
1Suricata▶
ET WEB_SPECIFIC_APPS Adobe Commerce / Magento Pre-Authentication XML Entity Injection (CVE-2024-34102)↗2024-09-26
📋Vendor Advisories
1CISA▶
Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability↗2024-07-17