Advisory

July 24, 2024 Advisory: Unauthenticated XXE Vulnerability in Adobe Commerce Could Lead to Site Compromise and Sensitive Data Exposure [CVE-2024-34102]

July 24, 2024

Tags:

Rapid Response

Date of Issue Disclosure: June 13, 2024
CVE-ID and CVSS Score: CVE-2024-34102, CVSS 9.8 (Critical)
Issue Name and Description: Unauthenticated XML External Entity (XXE) vulnerability in Adobe Commerce (formerly known as Magento).
Asset Description: Adobe Commerce is a digital eCommerce platform for businesses. This affects the following versions, per Adobe’s security advisory.

Product	Version	Platform
Adobe Commerce	2.4.7 and earlier 2.4.6-p5 and earlier 2.4.5-p7 and earlier 2.4.4-p8 and earlier 2.4.3-ext-7 and earlier* 2.4.2-ext-7 and earlier*	All
Magento Open Source	2.4.7 and earlier 2.4.6-p5 and earlier 2.4.5-p7 and earlier 2.4.4-p8 and earlier	All
Adobe Commerce Webhooks Plugin	1.2.0 to 1.4.0	Manual Plugin Installation

Vulnerability Impact: An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code, potentially leading to complete system compromise. The attacker could access sensitive data, escalate privileges, and/or gain unauthorized control over the affected Adobe Commerce installation
Exploitation Details:
- The vulnerability is due to improper management of nested deserialization, which permits attackers to insert malicious XML entities. By submitting a crafted XML document that includes references to external entities, an attacker can execute arbitrary code. Note that this vulnerability does not require user interaction.
- Adobe has confirmed that CVE-2024-34102 “has been exploited in the wild in limited attacks targeting Adobe Commerce merchants”. (https://helpx.adobe.com/security/products/magento/apsb24-40.html )
- Since yesterday, July 23, 2024, there have been reports that threat actors are exploiting this vulnerability to breach Magento sites and exploit swap files for e-skimming attacks. Malicious code is injected into the swap files that captures sensitive information such as payment card information. (https://securityaffairs.com/166073/malware/threat-actors-abused-swap-files-e-skimming.html )
Patch Availability:
- Adobe has released security updates in the following versions: 2.4.7-p1, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8
Detection with Censys: The following queries can be leveraged to identify all Censys-visible public-facing Adobe Commerce/Magento instances. Note that this identifies the software product associated with this Advisory but does not pinpoint vulnerable instances. Further version confirmation will be necessary upon discovery.
- Censys Search query: services.software: (vendor:"Adobe" and product:"Magento")
- Censys ASM query: host.services.software: (vendor:"Adobe" and product:"Magento" ) or web_entity.instances.software: (vendor:"Adobe" and product:"Magento")
References:

Back to Resources Hub

Products

Solutions

Resources

Company

July 24, 2024 Advisory: Unauthenticated XXE Vulnerability in Adobe Commerce Could Lead to Site Compromise and Sensitive Data Exposure [CVE-2024-34102]

July 24, 2024 Advisory: Unauthenticated XXE Vulnerability in Adobe Commerce Could Lead to Site Compromise and Sensitive Data Exposure [CVE-2024-34102]

Share