CVE-2024-34102

Name of the Vulnerable Software and Affected Versions Adobe Commerce versions 2.4.4-p8 and earlier Adobe Commerce versions 2.4.5-p7 and earlier Adobe Commerce versions 2.4.6-p5 and earlier Adobe Commerce versions 2.4.7 and earlier

Description Adobe Commerce and Magento Open Source are affected by an Improper Restriction of XML External Entity Reference ('XXE') issue. This flaw could allow a remote attacker to execute arbitrary code by sending a specially crafted XML document referencing external entities. The vulnerability is actively exploited, with reports indicating over 4,000 stores compromised and ongoing attacks. Multiple threat actors are leveraging this vulnerability to inject malicious scripts. The vulnerability, dubbed "CosmicSting", allows attackers to steal sensitive data, including cryptographic keys, potentially leading to further compromise. The /rest/V1/guest-carts/1/estimate-shipping-methods API Endpoint is a potential target, with the data variable within the sourceData section being susceptible to manipulation. Exploitation does not require user interaction.

Recommendations Adobe Commerce versions prior to 2.4.7 should be updated. Adobe Commerce versions prior to 2.4.6-p5 should be updated. Adobe Commerce versions prior to 2.4.5-p7 should be updated. Adobe Commerce versions prior to 2.4.4-p8 should be updated.