CVE-2024-34102 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability

Exploit added

July 17, 2024

Action due

August 7, 2024

Action required

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference (‘XXE’) vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.

References

Weakness Enumeration

CWE-ID	CWE Name
CWE-611	Improper Restriction of XML External Entity Reference

Known Affected Software Configurations

cpe:2.3:a:adobe:magento:2.4.4:p4:::open_source:::*
cpe:2.3:a:adobe:magento:2.4.4:p5:::open_source:::*
cpe:2.3:a:adobe:magento:2.4.4:p6:::open_source:::*
cpe:2.3:a:adobe:magento:2.4.4:p7:::open_source:::*
cpe:2.3:a:adobe:magento:2.4.4:p8:::open_source:::*
cpe:2.3:a:adobe:magento:2.4.5:p5:::open_source:::*
cpe:2.3:a:adobe:magento:2.4.5:p6:::open_source:::*
cpe:2.3:a:adobe:magento:2.4.5:p7:::open_source:::*
cpe:2.3:a:adobe:magento:2.4.6:p4:::open_source:::*
cpe:2.3:a:adobe:magento:2.4.6:p5:::open_source:::*
cpe:2.3:a:adobe:commerce_webhooks:1.2.0:::::::*
cpe:2.3:a:adobe:commerce_webhooks:1.2.1:::::::*
cpe:2.3:a:adobe:commerce_webhooks:1.3.0:::::::*
cpe:2.3:a:adobe:commerce_webhooks:1.3.1:::::::*
cpe:2.3:a:adobe:commerce_webhooks:1.4.0:::::::*
cpe:2.3:a:adobe:commerce:2.4.4:p6::::::
cpe:2.3:a:adobe:commerce:2.4.6:p3::::::
cpe:2.3:a:adobe:magento:2.4.6:p3:::open_source:::*
cpe:2.3:a:adobe:commerce:2.3.7:p4-ext3::::::
cpe:2.3:a:adobe:commerce:2.3.7:p4-ext4::::::
cpe:2.3:a:adobe:commerce:2.4.0:ext-3::::::
cpe:2.3:a:adobe:commerce:2.4.0:ext-4::::::
cpe:2.3:a:adobe:commerce:2.4.1:ext-3::::::
cpe:2.3:a:adobe:commerce:2.4.1:ext-4::::::
cpe:2.3:a:adobe:commerce:2.4.2:ext-3::::::
cpe:2.3:a:adobe:commerce:2.4.2:ext-4::::::
cpe:2.3:a:adobe:commerce:2.4.3:ext-3::::::
cpe:2.3:a:adobe:commerce:2.4.3:ext-4::::::
cpe:2.3:a:adobe:commerce:2.4.4:p5::::::
cpe:2.3:a:adobe:commerce:2.4.5:p4::::::
cpe:2.3:a:adobe:commerce:2.4.5:p5::::::
cpe:2.3:a:adobe:commerce:2.4.6:p2::::::
cpe:2.3:a:adobe:magento:2.4.5:p3:::open_source:::*
cpe:2.3:a:adobe:magento:2.4.5:p4:::open_source:::*
cpe:2.3:a:adobe:magento:2.4.6:p1:::open_source:::*
cpe:2.3:a:adobe:magento:2.4.6:p2:::open_source:::*
cpe:2.3:a:adobe:magento:2.4.7:b1:::open_source:::*
cpe:2.3:a:adobe:magento:2.4.6:-:::open_source:::*
cpe:2.3:a:adobe:commerce:2.4.4:p4::::::
cpe:2.3:a:adobe:commerce:2.4.5:p3::::::
cpe:2.3:a:adobe:commerce:2.4.6:p1::::::
cpe:2.3:a:adobe:commerce:2.3.7:p4-ext1::::::
cpe:2.3:a:adobe:commerce:2.3.7:p4-ext2::::::
cpe:2.3:a:adobe:commerce:2.3.7:p4::::::
cpe:2.3:a:adobe:commerce:2.4.0:-::::::
cpe:2.3:a:adobe:commerce:2.4.0:ext-1::::::
cpe:2.3:a:adobe:commerce:2.4.0:ext-2::::::
cpe:2.3:a:adobe:commerce:2.4.1:-::::::
cpe:2.3:a:adobe:commerce:2.4.1:ext-1::::::
cpe:2.3:a:adobe:commerce:2.4.1:ext-2::::::
cpe:2.3:a:adobe:commerce:2.4.2:-::::::
cpe:2.3:a:adobe:commerce:2.4.2:ext-1::::::
cpe:2.3:a:adobe:commerce:2.4.2:ext-2::::::
cpe:2.3:a:adobe:commerce:2.4.3:ext-1::::::
cpe:2.3:a:adobe:commerce:2.4.3:ext-2::::::
cpe:2.3:a:adobe:magento:2.4.4:-:::open_source:::*
cpe:2.3:a:adobe:magento:2.4.4:p1:::open_source:::*
cpe:2.3:a:adobe:magento:2.4.4:p2:::open_source:::*
cpe:2.3:a:adobe:magento:2.4.4:p3:::open_source:::*
cpe:2.3:a:adobe:magento:2.4.5:-:::open_source:::*
cpe:2.3:a:adobe:magento:2.4.5:p1:::open_source:::*
cpe:2.3:a:adobe:magento:2.4.5:p2:::open_source:::*
cpe:2.3:a:adobe:commerce:2.4.4:p3::::::
cpe:2.3:a:adobe:commerce:2.4.5:p2::::::
cpe:2.3:a:adobe:commerce:2.4.6:-::::::
cpe:2.3:a:adobe:commerce:2.4.4:p2::::::
cpe:2.3:a:adobe:commerce:2.4.5:p1::::::
cpe:2.3:a:adobe:commerce:2.4.4:p1::::::
cpe:2.3:a:adobe:commerce:2.4.5:-::::::
cpe:2.3:a:adobe:commerce:2.3.7:-::::::
cpe:2.3:a:adobe:commerce:2.3.7:p3::::::
cpe:2.3:a:adobe:commerce:2.4.4:-::::::
cpe:2.3:a:adobe:commerce:2.3.7:p2::::::
cpe:2.3:a:adobe:commerce:2.4.3:-::::::
cpe:2.3:a:adobe:commerce:2.3.7:p1::::::

Details

Source:
NVD

Published:
June 13, 2024

Updated:
July 18, 2024

Risk information

CVSS v3

Base score:
9.8

Severity:

CRITICAL

Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

Not defined