← Back to CVEs

CVE-2024-34102

CRITICALCISA KEV

9.8

Description

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.

CVE Details

CVSS v3.1 Score9.8

SeverityCRITICAL

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionNONE

Published6/13/2024

Last Modified10/23/2025

Sourcekev

Honeypot Sightings0

CISA KEV

VendorAdobe

ProductCommerce and Magento Open Source

Vulnerability NameAdobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability

KEV Date Added2024-07-17

Remediation Due Date2024-08-07

Ransomware UseUnknown

Affected Products

adobe:commerceadobe:commerce_webhooksadobe:magento

Weaknesses (CWE)

CWE-611

References

https://helpx.adobe.com/security/products/magento/apsb24-40.html(psirt@adobe.com)

https://www.vicarius.io/vsociety/posts/cosmicsting-critical-unauthenticated-xxe-vulnerability-in-adobe-commerce-and-magento-cve-2024-34102(psirt@adobe.com)

https://helpx.adobe.com/security/products/magento/apsb24-40.html(af854a3a-2127-422b-91ae-364da2661108)

https://www.vicarius.io/vsociety/posts/cosmicsting-critical-unauthenticated-xxe-vulnerability-in-adobe-commerce-and-magento-cve-2024-34102(af854a3a-2127-422b-91ae-364da2661108)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-34102(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.