Vulnerability Description
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Adobe | Commerce | 2.4.2 |
| Adobe | Commerce Webhooks | >= 1.2.0, < 1.5.0 |
| Adobe | Magento | 2.4.4 |
Related Weaknesses (CWE)
References
- https://helpx.adobe.com/security/products/magento/apsb24-40.htmlVendor Advisory
- https://www.vicarius.io/vsociety/posts/cosmicsting-critical-unauthenticated-xxe-ExploitTechnical DescriptionThird Party Advisory
- https://helpx.adobe.com/security/products/magento/apsb24-40.htmlVendor Advisory
- https://www.vicarius.io/vsociety/posts/cosmicsting-critical-unauthenticated-xxe-ExploitTechnical DescriptionThird Party Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-Third Party AdvisoryUS Government Resource
FAQ
What is CVE-2024-34102?
CVE-2024-34102 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary co...
How severe is CVE-2024-34102?
CVE-2024-34102 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-34102?
Check the references section above for vendor advisories and patch information. Affected products include: Adobe Commerce, Adobe Commerce Webhooks, Adobe Magento.