Main Vulnerability Database Vulnerabilities #VU91983

#VU91983 XML External Entity injection in Adobe Commerce (formerly Magento Commerce) and Magento Open Source - CVE-2024-34102

Published: June 12, 2024 / Updated: October 18, 2024

Vulnerability identifier: #VU91983

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:N/SA:N/E:A/U:Amber

CVE-ID: CVE-2024-34102

CWE-ID: CWE-611

Exploitation vector: Remote access

Exploit availability: The vulnerability is being exploited in the wild

Vulnerable software:
Adobe Commerce (formerly Magento Commerce)
Magento Open Source

Software vendor:
Adobe

Description

The vulnerability allows a remote attacker to compromise the affected application.

The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.

Remediation

Install updates from vendor's website.

External links

https://helpx.adobe.com/security/products/magento/apsb24-40.html

#VU91983 XML External Entity injection in Adobe Commerce (formerly Magento Commerce) and Magento Open Source - CVE-2024-34102

Description

Remediation

External links

Please verify you're human