Description

Adobe Commerce and Adobe Magento have an XXE vulnerability. This vulnerability allows an attacker to send crafted requests to a web application for extraction of secrets from the file system, server-side request forgery, or denial-of-service attacks. The vulnerability can be chained with CVE-2024-2961 to achieve RCE.

Remediation

Upgrade to the latest version of Adobe Commerce/Magento

References

Adobe Security Bulletin

Initial Analysis

Why nested deserialization is harmful: Magento XXE (CVE-2024-34102)

Related Vulnerabilities

Zenphoto Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2010-4906)

GibbonEdu Session Fixation Vulnerability (CVE-2022-27305)

WordPress Plugin Ajax Search Lite Remote Command Execution (3.1)

MySQL CVE-2021-35638 Vulnerability (CVE-2021-35638)

BigIP iRule Tcl code injection

Severity

Critical

Classification

CVE-2024-34102 CWE-611 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Tags

XXE Code Execution Known Vulnerabilities Acumonitor