Adobe Commerce Vulnerable to Arbitrary Code Execution via XML External Entity Reference
Key Information
- Vendor
- Adobe
- Status
- Adobe Commerce
- Vendor
- Published:
- 13 June 2024
Badges
Summary
The vulnerability identified as CVE-2024-34102 affects Adobe Commerce and Magento Open Source, posing a serious security threat. The vulnerability allows attackers to read sensitive files containing passwords and execute remote code, potentially gaining full control over the affected e-commerce platform. This can lead to widespread attacks, with an estimated 75% of e-commerce websites being at risk. The slow adoption of software updates has been attributed to the introduction of security features such as Content Security Policy and Subresource Integrity in the new software versions, which can interfere with the normal operation of checkout processes. There is a warning that attackers may exploit this vulnerability in conjunction with another vulnerability, CVE-2024-2961, to cause significant harm. Despite a patch being released, there is still a risk of attackers accessing administrator APIs in environments where the iconv vulnerability has been patched.
Affected Version(s)
Adobe Commerce <= 2.4.4-p8
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
![favicon image](https://www.redhotcyber.com/wp-content/uploads/2022/02/cropped-cropped-Logo-in-Cerchio-v0.5-Transparent-960x960-1-32x32.png)
Identified a POC for the CVE-2024-34102 Vulnerability in Magento / Adobe Commerce
Security experts have identified a significant vulnerability, CVE-2024-34102, affecting Magento and Adobe Commerce platforms.
6 days ago
![favicon image](https://www.redhotcyber.com/wp-content/uploads/2022/02/cropped-cropped-Logo-in-Cerchio-v0.5-Transparent-960x960-1-32x32.png)
Identificato POC per la Vulnerabilità CVE-2024-34102 in Magento / Adobe Commerce
È stato rilevato all'interno delle underground un exploit poke relativo all'applicazione Magento (CVE-2024-34102)
6 days ago
75%的Magento電商平臺恐存在重大資安漏洞CosmicSting,若不設法修補,攻擊者有可能取得完整控制權
針對Adobe本月修補電商平臺Adobe Commerce及Magento Open Source的資安弱點CosmicSting(CVE-2024-34102),資安業者Sansec提出警告,這是歷年來該電商平臺最嚴重的漏洞之一,網站管理者應儘速採取緩解措施因應
2 weeks ago
EPSS Score
4% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 👾
Exploit exists.
First article discovered by iThome
Vulnerability published.
Vulnerability Reserved.