Known Exploited Vulnerability
9.8
CRITICAL
CVE-2024-34102
Adobe Commerce and Magento Open Source Improper Re - [Actively Exploited]
Description

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.

INFO

Published Date :

June 13, 2024, 9:15 a.m.

Last Modified :

Nov. 29, 2024, 3:33 p.m.

Remotely Exploitable :

Yes !

Impact Score :

5.9

Exploitability Score :

3.9
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

Adobe Commerce and Magento Open Source contain an improper restriction of XML external entity reference (XXE) vulnerability that allows for remote code execution.

Required Action :

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Notes :

https://helpx.adobe.com/security/products/magento/apsb24-40.html; https://nvd.nist.gov/vuln/detail/CVE-2024-34102

Public PoC/Exploit Available at Github

CVE-2024-34102 has a 47 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2024-34102 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Adobe commerce
2 Adobe magento
3 Adobe commerce_webhooks
1 Magento magento
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-34102.

URL Resource
https://helpx.adobe.com/security/products/magento/apsb24-40.html Vendor Advisory
https://www.vicarius.io/vsociety/posts/cosmicsting-critical-unauthenticated-xxe-vulnerability-in-adobe-commerce-and-magento-cve-2024-34102 Exploit Technical Description Third Party Advisory
https://helpx.adobe.com/security/products/magento/apsb24-40.html Vendor Advisory
https://www.vicarius.io/vsociety/posts/cosmicsting-critical-unauthenticated-xxe-vulnerability-in-adobe-commerce-and-magento-cve-2024-34102 Exploit Technical Description Third Party Advisory

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Fix the JWT authentication vulnerability on certain Magento 2 versions. Deny tokens issued by old encryption key. If you cannot upgrade Magento or cannot apply the official patch, try this one.

cve-2024-34102 cosmic-sting encryption-key jwt jwt-authentication key-rotation magento2 patch token webapi

PHP

Updated: 3 days, 21 hours ago
0 stars 1 fork 1 watcher
Born at : Dec. 10, 2024, 5:25 a.m. This repo has been linked 1 different CVEs too.

A utility for Magento 2 encryption key rotation and management. CVE-2024-34102(aka Cosmic Sting) victims can use it as an aftercare.

encryption-key cli cve-2024-34102 deployment-automation key-generation key-rotation magento2 cosmic-sting

PHP

Updated: 1 week, 2 days ago
0 stars 0 fork 0 watcher
Born at : Dec. 4, 2024, 3:19 p.m. This repo has been linked 1 different CVEs too.

Magento 2 patch for CVE-2022-24086. Fix the RCE vulnerability and related bugs by performing deep template variable escaping. If you cannot upgrade Magento or cannot apply the official patches, try this one.

cve-2022-24086 magento2 patch rce deep-escape improper-input-validation legacyresolver template-filter all-magento24-compatible

PHP

Updated: 2 weeks, 2 days ago
0 stars 0 fork 0 watcher
Born at : Nov. 25, 2024, 6:56 a.m. This repo has been linked 2 different CVEs too.

None

PHP Shell

Updated: 2 months ago
0 stars 0 fork 0 watcher
Born at : Oct. 8, 2024, 5:02 p.m. This repo has been linked 1 different CVEs too.

adobe commerce

Shell

Updated: 2 months ago
0 stars 0 fork 0 watcher
Born at : Aug. 19, 2024, 7:25 p.m. This repo has been linked 1 different CVEs too.

None

Updated: 3 months, 3 weeks ago
0 stars 0 fork 0 watcher
Born at : Aug. 18, 2024, 5:48 p.m. This repo has been linked 2 different CVEs too.

PoC for CVE-2024-34102

Python

Updated: 2 months, 1 week ago
3 stars 0 fork 0 watcher
Born at : Aug. 13, 2024, 7:33 a.m. This repo has been linked 1 different CVEs too.

CVE-2024-37085 unauthenticated shell upload to full administrator on domain-joined esxi hypervisors.

Updated: 4 months ago
0 stars 0 fork 0 watcher
Born at : Aug. 12, 2024, 5:44 p.m. This repo has been linked 2 different CVEs too.

Magento 2 patch for CVE-2024-34102(aka CosmicSting). Another way(as an extension) to hotfix the security hole if you cannot apply the official patch or cannot upgrade Magento.

cosmicsting cve-2024-34102 extension hotfix magento2 patch bug security-hole

PHP

Updated: 1 month, 2 weeks ago
1 stars 0 fork 0 watcher
Born at : Aug. 8, 2024, 7:47 a.m. This repo has been linked 1 different CVEs too.

CVE-2024-34102 unauthenticated RCE PoC for Magento/adobe commerce

Updated: 4 months, 1 week ago
0 stars 0 fork 0 watcher
Born at : Aug. 1, 2024, 5:36 p.m. This repo has been linked 2 different CVEs too.

CVE-2024-34102 unauthenticated RCE PoC for Magento/adobe commerce

Updated: 4 months, 1 week ago
0 stars 0 fork 0 watcher
Born at : July 30, 2024, 4:42 a.m. This repo has been linked 2 different CVEs too.

None

PHP

Updated: 4 months, 2 weeks ago
0 stars 0 fork 0 watcher
Born at : July 25, 2024, 3:07 p.m. This repo has been linked 1 different CVEs too.

CVE-2024-34102 unauthenticated RCE PoC for Magento/adobe commerce and (NEW 0DAY)?

Updated: 4 months, 3 weeks ago
0 stars 0 fork 0 watcher
Born at : July 21, 2024, 12:22 a.m. This repo has been linked 2 different CVEs too.

None

PHP

Updated: 4 months, 3 weeks ago
0 stars 0 fork 0 watcher
Born at : July 15, 2024, 9:04 p.m. This repo has been linked 1 different CVEs too.

CVE-2024-34102 unauthenticated RCE PoC for Magento/adobe commerce

Updated: 4 months, 4 weeks ago
0 stars 0 fork 0 watcher
Born at : July 15, 2024, 3:08 p.m. This repo has been linked 2 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-34102 vulnerability anywhere in the article.

  • The Cyber Express
The Week’s Top Vulnerabilities: Cyble Urges Fixes for NVIDIA, Adobe, CUPS

Cyble researchers had a busy week, investigating 19 vulnerabilities in the week ended Oct.1 and flagging eight of them as high priority. Cyble’s weekly IT vulnerability report also noted that research ... Read more

Published Date: Oct 04, 2024 (2 months, 1 week ago)
  • security.nl
Duizenden webwinkels gecompromitteerd via kritiek lek in Adobe Commerce

Criminelen zijn erin geslaagd om bijna vijfduizend webwinkels te compromitteren waarbij gebruik is gemaakt van een kritieke kwetsbaarheid in Adobe Commerce en Magento. Het gaat onder andere om webshop ... Read more

Published Date: Oct 04, 2024 (2 months, 1 week ago)
  • The Register
Big names among thousands infected by payment-card-stealing CosmicSting crooks

Ray-Ban, National Geographic, Whirlpool, and Segway are among thousands of brands whose web stores were reportedly compromised by criminals exploiting the CosmicSting flaw in hope of stealing shoppers ... Read more

Published Date: Oct 04, 2024 (2 months, 1 week ago)
  • Cybersecurity News
Cybercriminals Exploit CosmicSting Vulnerability, Hacking Thousands of Adobe Commerce and Magento Stores

Malware in the National Geographic store | Image: SansecIn a significant cybersecurity breach this summer, cybercriminals compromised approximately 5% of all Adobe Commerce and Magento stores, affecti ... Read more

Published Date: Oct 04, 2024 (2 months, 1 week ago)
  • The Hacker News
Alert: Adobe Commerce and Magento Stores Under Attack from CosmicSting Exploit

Vulnerability / Data Breach Cybersecurity researchers have disclosed that 5% of all Adobe Commerce and Magento stores have been hacked by malicious actors by exploiting a security vulnerability dubbed ... Read more

Published Date: Oct 02, 2024 (2 months, 1 week ago)
  • Cybersecurity News
CVE-2024-30051: Windows Elevation of Privilege Flaw Exploited by QakBot Malware, PoC Published

Security researchers published the technical details and a proof-of-concept exploit (PoC) code for a zero-day vulnerability in Windows, tracked as CVE-2024-30051, which could allow attackers to escala ... Read more

Published Date: Sep 10, 2024 (3 months ago)
  • The Register
Cisco merch shoppers stung in Magecart attack

Bad news for anyone who purchased a Cisco hoodie earlier this month: Suspected Russia-based attackers injected data-stealing JavaScript into the networking giant's online store selling Cisco-branded m ... Read more

Published Date: Sep 06, 2024 (3 months, 1 week ago)
  • security.nl
'Malware in webshop van Cisco steelt creditcardgegevens klanten'

Criminelen zijn erin geslaagd om malware aan een webshop van Cisco toe te voegen die creditcardgegevens en andere data van klanten steelt, waaronder adresgegevens, telefoonnummer, e-mailadres en inlog ... Read more

Published Date: Sep 05, 2024 (3 months, 1 week ago)
  • BleepingComputer
Hackers inject malicious JS in Cisco store to steal credit cards, credentials

Cisco’s site for selling company-themed merchandise is currently offline and under maintenance due to hackers compromising it with JavaScript code that steals sensitive customer details provided at ch ... Read more

Published Date: Sep 04, 2024 (3 months, 1 week ago)
  • Cybersecurity News
Linux Leaps to Record 4.44% Market Share: Open-Source OS Hits All-Time High in July

Recent data from StatCounter indicates that Linux’s market share has ascended to an unprecedented 4.44% in July. This marks a substantial increase from the 3.12% recorded during the corresponding peri ... Read more

Published Date: Aug 27, 2024 (3 months, 2 weeks ago)
  • Cybersecurity News
Cyberattack on Magento: Hackers Inject Skimmer, Card Data Stolen

Malicious JavaScript | Image: MalwarebytesDuring a recent cyberattack on numerous online stores utilizing the Magento platform, a skimmer was injected into the sites, stealing customers’ payment card ... Read more

Published Date: Aug 26, 2024 (3 months, 2 weeks ago)
  • Cybersecurity News
Urgent Chrome Update: Active Zero-Day Exploit Detected (CVE-2024-7971)

Google has released an urgent Chrome update (version 128.0.6613.84/85) in response to an actively exploited zero-day vulnerability (CVE-2024-7971). This vulnerability, categorized as a type confusion ... Read more

Published Date: Aug 22, 2024 (3 months, 3 weeks ago)
  • Cybersecurity News
Azure Kubernetes Services at Risk: “WireServing” Threat Revealed

Permissions granted to the embedded TLS certificatesA newly discovered vulnerability in Azure Kubernetes Services (AKS) has been revealed by Mandiant, a leading cybersecurity firm. The vulnerability, ... Read more

Published Date: Aug 21, 2024 (3 months, 3 weeks ago)
  • Cybersecurity News
Congress Scrutinizes TP-Link Routers Over Cybersecurity Concerns

Two members of Congress have urged the U.S. Department of Commerce to investigate the cybersecurity risks associated with Wi-Fi routers manufactured by the Chinese company TP-Link Technologies, and th ... Read more

Published Date: Aug 21, 2024 (3 months, 3 weeks ago)
  • Cybersecurity News
Xeon Sender Abuses SaaS APIs for Massive SMS Attacks

SVG SMS variant of Xeon Sender | Image: SentinelOneSecurity researchers at SentinelOne have uncovered a new cloud-based attack tool called Xeon Sender (aka XeonV5, SVG Sender) that enables threat acto ... Read more

Published Date: Aug 21, 2024 (3 months, 3 weeks ago)
  • Cybersecurity News
TA453 Deploys New BlackSmith Malware Toolset in Phishing Attack on Religious Figure

Cybersecurity firm Proofpoint has uncovered a new phishing campaign by the Iranian-backed threat actor TA453 (aka Charming Kitten, Mint Sandstorm, APT42). In this campaign, TA453 impersonated the Inst ... Read more

Published Date: Aug 20, 2024 (3 months, 3 weeks ago)
  • Cybersecurity News
EDRKillShifter: A New EDR-Killing Tool in Ransomware Attack

High-level overview of the loader execution process | Image: SophosSophos researchers have discovered a new threat: EDRKillShifter, a sophisticated tool designed to dismantle endpoint detection and re ... Read more

Published Date: Aug 18, 2024 (3 months, 3 weeks ago)
  • Cybersecurity News
CVE-2024-43360: SQLi Flaw Discovered in Popular Surveillance Software ZoneMinder

ZoneMinder, a widely used open-source video surveillance solution, has been found to contain a critical SQL injection vulnerability that could allow attackers to gain unauthorized access to sensitive ... Read more

Published Date: Aug 16, 2024 (3 months, 4 weeks ago)
  • Cybersecurity News
Last Mile Reassembly Attacks Bypass Leading Secure Web Gateways

SquareX, along with its founder Vivek Ramachandran, a renowned cybersecurity expert, recently uncovered a vulnerability in Secure Web Gateway (SWG) systems, which are employed to safeguard corporate n ... Read more

Published Date: Aug 16, 2024 (3 months, 4 weeks ago)
  • Cybersecurity News
Adobe Issues Critical Security Updates for Commerce and Magento Platforms

Adobe has released a critical security update for its widely-used e-commerce platforms, Adobe Commerce and Magento Open Source. The update addresses a range of vulnerabilities, some of which could all ... Read more

Published Date: Aug 15, 2024 (3 months, 4 weeks ago)
  • Cybersecurity News
CVE-2024-42458 (CVSS 9.8) – New Security Vulnerability in Neat VNC: Urgent Patch Released

Neat VNC, a popular open-source VNC server library used for remote desktop access and screen sharing, has been found vulnerable to a security vulnerability (CVE-2024-42458, CVSS 9.8). This flaw could ... Read more

Published Date: Aug 09, 2024 (4 months ago)
  • Cybersecurity News
Proposed US Ban on Chinese Tech Impacts Autonomous Vehicles

The United States Department of Commerce plans to propose a ban on the use of Chinese software in autonomous vehicles in the coming weeks, according to Reuters.The proposed legislation will affect car ... Read more

Published Date: Aug 08, 2024 (4 months ago)
  • The Hacker News
Cisco Warns of Critical Flaw Affecting On-Prem Smart Software Manager

Cisco has released patches to address a maximum-severity security flaw impacting Smart Software Manager On-Prem (Cisco SSM On-Prem) that could enable a remote, unauthenticated attacker to change the p ... Read more

Published Date: Jul 18, 2024 (4 months, 3 weeks ago)

The following table lists the changes that have been made to the CVE-2024-34102 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Modified Analysis by [email protected]

    Nov. 29, 2024

    Action Type Old Value New Value
    Changed CPE Configuration OR *cpe:2.3:a:adobe:commerce:2.3.7:-:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.3.7:p1:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.3.7:p2:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.3.7:p3:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.3.7:p4:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.3.7:p4-ext1:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.3.7:p4-ext2:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.3.7:p4-ext3:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.3.7:p4-ext4:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.0:-:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.0:ext-1:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.0:ext-2:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.0:ext-3:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.0:ext-4:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.1:-:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.1:ext-1:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.1:ext-2:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.1:ext-3:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.1:ext-4:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.2:-:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.2:ext-1:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.2:ext-2:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.2:ext-3:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.2:ext-4:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.3:-:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.3:ext-1:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.3:ext-2:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.3:ext-3:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.3:ext-4:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.4:-:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.4:p1:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.4:p2:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.4:p3:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.4:p4:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.4:p5:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.4:p6:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.5:-:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.5:p1:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.5:p2:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.5:p3:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.5:p4:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.5:p5:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.6:-:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.6:p1:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.6:p2:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.6:p3:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce_webhooks:*:*:*:*:*:*:*:* versions from (including) 1.2.0 up to (including) 1.4.0 *cpe:2.3:a:adobe:magento:2.4.4:-:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.4:p1:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.4:p2:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.4:p3:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.4:p4:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.4:p5:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.4:p6:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.4:p7:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.4:p8:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.5:-:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.5:p1:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.5:p2:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.5:p3:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.5:p4:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.5:p5:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.5:p6:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.5:p7:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.6:-:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.6:p1:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.6:p2:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.6:p3:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.6:p4:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.6:p5:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.7:b1:*:*:open_source:*:*:* OR *cpe:2.3:a:adobe:commerce:2.4.2:-:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.2:ext-1:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.2:ext-2:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.2:ext-3:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.2:ext-4:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.2:ext-7:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.3:-:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.3:ext-1:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.3:ext-2:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.3:ext-3:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.3:ext-4:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.3:ext-7:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.4:-:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.4:p1:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.4:p2:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.4:p3:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.4:p4:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.4:p5:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.4:p6:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.4:p8:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.5:-:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.5:p1:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.5:p2:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.5:p3:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.5:p4:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.5:p5:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.5:p7:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.6:-:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.6:p1:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.6:p2:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.6:p3:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.6:p5:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.7:-:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce_webhooks:*:*:*:*:*:*:*:* versions from (including) 1.2.0 up to (excluding) 1.5.0 *cpe:2.3:a:adobe:magento:2.4.4:-:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.4:p1:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.4:p2:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.4:p3:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.4:p4:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.4:p5:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.4:p6:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.4:p7:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.4:p8:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.5:-:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.5:p1:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.5:p2:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.5:p3:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.5:p4:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.5:p5:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.5:p6:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.5:p7:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.6:-:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.6:p1:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.6:p2:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.6:p3:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.6:p4:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.6:p5:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.7:-:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.7:b1:*:*:open_source:*:*:*
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Nov. 21, 2024

    Action Type Old Value New Value
    Added Reference https://helpx.adobe.com/security/products/magento/apsb24-40.html
    Added Reference https://www.vicarius.io/vsociety/posts/cosmicsting-critical-unauthenticated-xxe-vulnerability-in-adobe-commerce-and-magento-cve-2024-34102
  • CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725

    Jul. 18, 2024

    Action Type Old Value New Value
    Added Date Added 2024-07-17
    Added Vulnerability Name Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability
    Added Due Date 2024-08-07
    Added Required Action Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
  • Initial Analysis by [email protected]

    Jul. 09, 2024

    Action Type Old Value New Value
    Changed Reference Type https://helpx.adobe.com/security/products/magento/apsb24-40.html No Types Assigned https://helpx.adobe.com/security/products/magento/apsb24-40.html Vendor Advisory
    Changed Reference Type https://www.vicarius.io/vsociety/posts/cosmicsting-critical-unauthenticated-xxe-vulnerability-in-adobe-commerce-and-magento-cve-2024-34102 No Types Assigned https://www.vicarius.io/vsociety/posts/cosmicsting-critical-unauthenticated-xxe-vulnerability-in-adobe-commerce-and-magento-cve-2024-34102 Exploit, Technical Description, Third Party Advisory
    Added CPE Configuration OR *cpe:2.3:a:adobe:commerce:2.3.7:-:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.3.7:p1:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.3.7:p2:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.3.7:p3:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.3.7:p4:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.3.7:p4-ext1:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.3.7:p4-ext2:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.3.7:p4-ext3:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.3.7:p4-ext4:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.0:-:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.0:ext-1:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.0:ext-2:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.0:ext-3:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.0:ext-4:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.1:-:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.1:ext-1:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.1:ext-2:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.1:ext-3:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.1:ext-4:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.2:-:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.2:ext-1:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.2:ext-2:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.2:ext-3:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.2:ext-4:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.3:-:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.3:ext-1:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.3:ext-2:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.3:ext-3:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.3:ext-4:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.4:-:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.4:p1:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.4:p2:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.4:p3:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.4:p4:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.4:p5:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.4:p6:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.5:-:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.5:p1:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.5:p2:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.5:p3:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.5:p4:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.5:p5:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.6:-:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.6:p1:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.6:p2:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce:2.4.6:p3:*:*:*:*:*:* *cpe:2.3:a:adobe:commerce_webhooks:*:*:*:*:*:*:*:* versions from (including) 1.2.0 up to (including) 1.4.0 *cpe:2.3:a:adobe:magento:2.4.4:-:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.4:p1:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.4:p2:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.4:p3:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.4:p4:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.4:p5:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.4:p6:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.4:p7:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.4:p8:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.5:-:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.5:p1:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.5:p2:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.5:p3:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.5:p4:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.5:p5:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.5:p6:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.5:p7:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.6:-:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.6:p1:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.6:p2:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.6:p3:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.6:p4:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.6:p5:*:*:open_source:*:*:* *cpe:2.3:a:adobe:magento:2.4.7:b1:*:*:open_source:*:*:*
  • CVE Modified by [email protected]

    Jul. 03, 2024

    Action Type Old Value New Value
    Added Reference Adobe Systems Incorporated https://www.vicarius.io/vsociety/posts/cosmicsting-critical-unauthenticated-xxe-vulnerability-in-adobe-commerce-and-magento-cve-2024-34102 [No types assigned]
  • CVE Received by [email protected]

    Jun. 13, 2024

    Action Type Old Value New Value
    Added Description Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.
    Added Reference Adobe Systems Incorporated https://helpx.adobe.com/security/products/magento/apsb24-40.html [No types assigned]
    Added CWE Adobe Systems Incorporated CWE-611
    Added CVSS V3.1 Adobe Systems Incorporated AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-34102 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2024-34102 weaknesses.

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability