Adobe Commerce Vulnerable to Arbitrary Code Execution via XML External Entity Reference
CVE-2024-34102
Key Information
- Vendor
- Adobe
- Status
- Adobe Commerce
- Vendor
- CVE Published:
- 13 June 2024
Badges
Summary
The vulnerability identified as CVE-2024-34102 affects Adobe Commerce and Magento Open Source, posing a serious security threat. The vulnerability allows attackers to read sensitive files containing passwords and execute remote code, potentially gaining full control over the affected e-commerce platform. This can lead to widespread attacks, with an estimated 75% of e-commerce websites being at risk. The slow adoption of software updates has been attributed to the introduction of security features such as Content Security Policy and Subresource Integrity in the new software versions, which can interfere with the normal operation of checkout processes. There is a warning that attackers may exploit this vulnerability in conjunction with another vulnerability, CVE-2024-2961, to cause significant harm. Despite a patch being released, there is still a risk of attackers accessing administrator APIs in environments where the iconv vulnerability has been patched.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2024-34102 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
Adobe Commerce <= 2.4.4-p8
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
BankInfoSecurityCVE-2024-34102Mass Retail Hacks Affect Adobe Commerce and Magento Stores
Thousands of online stores running Adobe Commerce and Magento software have been hacked since the summer and infected with digital payment skimmers by attackers
3 months ago
GovInfoSecurityCVE-2024-34102Mass Retail Hacks Affect Adobe Commerce and Magento Stores
Thousands of online stores running Adobe Commerce and Magento software have been hacked since the summer and infected with digital payment skimmers by attackers
3 months ago
Big names among thousands infected by payment-card-stealing CosmicSting crooks
Ray-Ban, National Geographic, Whirlpool, and Segway are among thousands of brands whose web stores were reportedly compromised by criminals exploiting the CosmicSting flaw in hope of stealing shoppers'...
3 months ago
Refferences
EPSS Score
13% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🔴
Public PoC available
- 😈
Used in Ransomware
CISA Reported
- 👾
Exploit known to exist
First article discovered by iThome
Vulnerability published
Vulnerability Reserved