CVE-2024-34102
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Adobe | Adobe Commerce | 0 <= 2.4.4-p8 | affected |
Weaknesses
- CWE-611: Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: active
- Automatable: yes
- Technical Impact: total
Additional References
CVE Program Container
Additional References
- https://helpx.adobe.com/security/products/magento/apsb24-40.html
- https://www.vicarius.io/vsociety/posts/cosmicsting-critical-unauthenticated-xxe-vulnerability-in-adobe-commerce-and-magento-cve-2024-34102
References
- https://helpx.adobe.com/security/products/magento/apsb24-40.html
- https://www.vicarius.io/vsociety/posts/cosmicsting-critical-unauthenticated-xxe-vulnerability-in-adobe-commerce-and-magento-cve-2024-34102
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.