Overview
Adobe Commerce is vulnerable to XML External Entity (XXE) injection through improper restriction of XML external entity references. This vulnerability allows authenticated attackers to execute arbitrary code by sending malicious XML payloads through vulnerable endpoints. The vulnerability was disclosed on June 13, 2024. CISA has identified CVE-2024-34102 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
Adobe Commerce contains an improper neutralization of XML external entity references vulnerability. The vulnerability exists in the XML parsing functionality where external entity references are not properly restricted. An attacker with authentication credentials can craft malicious XML payloads and send them to vulnerable endpoints to trigger XXE processing, potentially leading to arbitrary code execution.
The vulnerability is classified as CWE-611 (Improper Restriction of XML External Entity Reference) .
The vulnerability has received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating its high nature.
Impact
Successful exploitation allows authenticated attackers to execute arbitrary code on the affected Adobe Commerce server. This could lead to complete system compromise, unauthorized data access, modification of product catalogs, customer data theft, payment information interception, and defacement of the storefront. The attacker could potentially establish persistent access, pivot to internal systems, and compromise customer information.
Mitigation and workarounds
Adobe has released security patches for all affected versions. Merchants should upgrade to the patched versions immediately: (Adobe Security Advisory) 1. For Commerce 2.4.7: Upgrade to version 2.4.7 2. For Commerce 2.4.6: Upgrade to version 2.4.6-p5 or later 3. For Commerce 2.4.5: Upgrade to version 2.4.5-p7 or later 4. For Commerce 2.4.4: Upgrade to version 2.4.4-p8 or later Upgrade instructions are available at https://experienceleague.adobe.com/en/docs/commerce-operations/upgrade-guide/overview The following versions include the necessary fixes: 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8.
As temporary workarounds: implement web application firewall (waf) rules to block xxe attack patterns in xml payloads. monitor for suspicious xml payloads containing doctype declarations or system references.; restrict access to xml processing endpoints through network-level controls and ip whitelisting if possible.; disable xml-based import/integration features if not actively used., and implement strict input validation and monitoring for authentication attempts and xml submissions..
CISA's recommendation: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Source: This report was generated using AI
