Adobe Commerce Vulnerable to Arbitrary Code Execution via XML External Entity Reference

Summary

The vulnerability identified as CVE-2024-34102 affects Adobe Commerce and Magento Open Source, posing a serious security threat. The vulnerability allows attackers to read sensitive files containing passwords and execute remote code, potentially gaining full control over the affected e-commerce platform. This can lead to widespread attacks, with an estimated 75% of e-commerce websites being at risk. The slow adoption of software updates has been attributed to the introduction of security features such as Content Security Policy and Subresource Integrity in the new software versions, which can interfere with the normal operation of checkout processes. There is a warning that attackers may exploit this vulnerability in conjunction with another vulnerability, CVE-2024-2961, to cause significant harm. Despite a patch being released, there is still a risk of attackers accessing administrator APIs in environments where the iconv vulnerability has been patched.

News Articles

Red Hot Cyber

CVE-2024-34102

Identified a POC for the CVE-2024-34102 Vulnerability in Magento / Adobe Commerce

Security experts have identified a significant vulnerability, CVE-2024-34102, affecting Magento and Adobe Commerce platforms.

6 days ago

Red Hot Cyber

CVE-2024-34102

Identificato POC per la Vulnerabilità CVE-2024-34102 in Magento / Adobe Commerce

È stato rilevato all'interno delle underground un exploit poke relativo all'applicazione Magento (CVE-2024-34102)

6 days ago

iThome

CVE-2024-34102

75%的Magento電商平臺恐存在重大資安漏洞CosmicSting，若不設法修補，攻擊者有可能取得完整控制權

針對Adobe本月修補電商平臺Adob​​e Commerce及Magento Open Source的資安弱點CosmicSting（CVE-2024-34102），資安業者Sansec提出警告，這是歷年來該電商平臺最嚴重的漏洞之一，網站管理者應儘速採取緩解措施因應

2 weeks ago