- Date of Issue Disclosure: June 13, 2024
- CVE-ID and CVSS Score: CVE-2024-34102, CVSS 9.8 (Critical)
- Issue Name and Description: Unauthenticated XML External Entity (XXE) vulnerability in Adobe Commerce (formerly known as Magento).
- Asset Description: Adobe Commerce is a digital eCommerce platform for businesses. This affects the following versions, per Adobe’s security advisory.
| Product | Version | Platform |
|---|---|---|
| Adobe Commerce | 2.4.7 and earlier 2.4.6-p5 and earlier 2.4.5-p7 and earlier 2.4.4-p8 and earlier 2.4.3-ext-7 and earlier* 2.4.2-ext-7 and earlier* | All |
| Magento Open Source | 2.4.7 and earlier 2.4.6-p5 and earlier 2.4.5-p7 and earlier 2.4.4-p8 and earlier | All |
| Adobe Commerce Webhooks Plugin | 1.2.0 to 1.4.0 | Manual Plugin Installation |
- Vulnerability Impact: An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code, potentially leading to complete system compromise. The attacker could access sensitive data, escalate privileges, and/or gain unauthorized control over the affected Adobe Commerce installation
- Exploitation Details:
- The vulnerability is due to improper management of nested deserialization, which permits attackers to insert malicious XML entities. By submitting a crafted XML document that includes references to external entities, an attacker can execute arbitrary code. Note that this vulnerability does not require user interaction.
- Adobe has confirmed that CVE-2024-34102 “has been exploited in the wild in limited attacks targeting Adobe Commerce merchants”. (https://helpx.adobe.com/security/products/magento/apsb24-40.html )
- Since yesterday, July 23, 2024, there have been reports that threat actors are exploiting this vulnerability to breach Magento sites and exploit swap files for e-skimming attacks. Malicious code is injected into the swap files that captures sensitive information such as payment card information. (https://securityaffairs.com/166073/malware/threat-actors-abused-swap-files-e-skimming.html )
- Patch Availability:
- Adobe has released security updates in the following versions: 2.4.7-p1, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8
- Detection with Censys: The following queries can be leveraged to identify all Censys-visible public-facing Adobe Commerce/Magento instances. Note that this identifies the software product associated with this Advisory but does not pinpoint vulnerable instances. Further version confirmation will be necessary upon discovery.
- Censys Search query:
services.software: (vendor:"Adobe" and product:"Magento") - Censys ASM query:
host.services.software: (vendor:"Adobe" and product:"Magento" ) or web_entity.instances.software: (vendor:"Adobe" and product:"Magento")
- Censys Search query:
- References:
- https://github.com/Chocapikk/CVE-2024-34102
- https://helpx.adobe.com/security/products/magento/apsb24-40.html
- https://www.assetnote.io/resources/research/why-nested-deserialization-is-harmful-magento-xxe-cve-2024-34102
- https://github.com/spacewasp/public_docs/blob/main/CVE-2024-34102.md
- https://securityaffairs.com/166073/malware/threat-actors-abused-swap-files-e-skimming.html