CVE-2024-34102

Name of the Vulnerable Software and Affected Versions Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier

Description The vulnerability is related to an improper restriction of XML external entity references, which could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. The exploitation of this issue does not require user interaction. It is estimated that over 4,000 e-stores have been compromised by exploiting this vulnerability, with 5% of Adobe Commerce and Magento stores being affected. The vulnerability has been used by hackers to inject malicious scripts and steal sensitive customer information, including payment card data.

Recommendations For Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier, update to a version that is not affected by the vulnerability. As a temporary workaround, consider disabling the XML external entity reference feature until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Rotate encryption keys to prevent further attacks.