CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2024-34102

CVSS 9.8v3.1pub. 2024-06-13upd. 2025-10-23

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.

🤖 AI Analysis
How it works

An attacker sends a crafted XML document containing references to external XML entities (XML External Entity). The application processes this document without appropriate restrictions, allowing the reading of system files, execution of requests to internal resources, or escalation to full code execution. The vulnerability is remotely accessible without requiring an account or any user interaction.

Impact

An attacker can gain full control of the server through arbitrary code execution (RCE), as well as compromise the confidentiality, integrity, and availability of the system.

Mitigation & patch

Patches available from the vendor should be applied immediately in accordance with Adobe security bulletin APSB24-40 (https://helpx.adobe.com/security/products/magento/apsb24-40.html).

Who is affected

Adobe Commerce in versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Adobe Commerce

    APP
    Adobe
    2.4.22.4.32.4.42.4.52.4.62.4.7
  • Adobe Commerce Webhooks

    APP
    Adobe
    1.2.0 – 1.5.0 (bez)
  • Adobe Magento

    APP
    Adobe
    2.4.42.4.52.4.62.4.7

CISA KEV — detailsi

Vendori
Adobe
Producti
Commerce and Magento Open Source
Added to KEVi
July 17, 2024
Remediation deadline (US Federal)i
August 7, 2024(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Adobe Commerce and Magento Open Source contain an improper restriction of XML external entity reference (XXE) vulnerability that allows for remote code execution.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 7 sierpnia 2024
Tags
RCEXXE
CWE
References

Related vulnerabilities

CVE-2025-54236CRITICAL9.1⚠ KEVPL ✓ten sam produkt

Adobe Commerce/Magento — przejęcie sesji przez Improper Input Validation

CVE-2022-24086CRITICAL9.8⚠ KEVten sam produkt

Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input va...

CVE-2025-24434CRITICAL9.1PL ✓ten sam produkt

Adobe Commerce — Incorrect Authorization umożliwiające privilege escalation

CVE-2024-45115CRITICAL9.8PL ✓ten sam produkt

Adobe Commerce — nieprawidłowe uwierzytelnienie umożliwiające privilege escalation

CVE-2024-39397CRITICAL9.0PL ✓ten sam produkt

Adobe Commerce — RCE poprzez nieograniczony upload niebezpiecznych plików