← back
CVE-2024-34102

XXE can expose crypt key and other secrets granting full admin access

CVSS 9.8 CRITICALEPSS 100.0%● KEVCWE-611
In short

Adobe Commerce has a flaw that allows attackers to send specially crafted XML files to expose sensitive secrets like encryption keys and gain complete admin access to the store. This happens automatically without needing any user interaction.

Technical detail

An XXE (XML External Entity) vulnerability in affected Adobe Commerce versions (2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier) permits unauthenticated remote attackers to read arbitrary files and extract cryptographic keys through crafted XML payloads submitted to vulnerable endpoints. Successful exploitation grants administrative privileges and potential code execution without requiring user action or authentication.

Summary generated and translated by AI from the official description.
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Adobe · Adobe Commerce
public PoCs found24
githubgithub.com/Chocapikk/CVE-2024-3410248githubgithub.com/bigb0x/CVE-2024-3410231githubgithub.com/th3gokul/CVE-2024-3410214githubgithub.com/jakabakos/CVE-2024-34102-CosmicSting-XXE-in-Adobe-Commerce-and-Magento9githubgithub.com/bughuntar/CVE-2024-341025githubgithub.com/EQSTLab/CVE-2024-341024githubgithub.com/11whoami99/CVE-2024-341023githubgithub.com/0x0d3ad/CVE-2024-341022githubgithub.com/wubinworks/magento2-cosmic-sting-patch1githubgithub.com/Phantom-IN/CVE-2024-341021githubgithub.com/nmmorette/CVE-2024-341021githubgithub.com/Kento-Sec/CVE-2024-341020githubgithub.com/ArturArz1/TestCVE-2024-341020githubgithub.com/russellwork2021-lgtm/cosmicsting-cve-2024-34102-exploit0githubgithub.com/d0rb/CVE-2024-341020githubgithub.com/cmsec423/CVE-2024-341020githubgithub.com/cmsec423/Magento-XXE-CVE-2024-341020githubgithub.com/SamJUK/cosmicsting-validator0githubgithub.com/unknownzerobit/poc0githubgithub.com/crynomore/CVE-2024-341020githubgithub.com/dream434/CVE-2024-341020githubgithub.com/bka/magento-cve-2024-34102-exploit-cosmicstring0githubgithub.com/wubinworks/magento2-encryption-key-manager-cli0githubgithub.com/Koray123-debug/CVE-2024-341020
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://helpx.adobe.com/security/products/magento/apsb24-40.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-34102https://www.vicarius.io/vsociety/posts/cosmicsting-critical-unauthenticated-xxe-vulnerability-in-adobe-commerce-and-magento-cve-2024-34102