CVE-2024-34102

Adobe Commerce and Magento Open Source Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected.

Description Adobe Commerce and Magento Open Source are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability. This issue could allow an attacker to execute arbitrary code by sending a crafted XML document referencing external entities. The vulnerability is actively exploited, with reports indicating over 4,000 stores have been compromised and approximately 5% of Adobe Commerce and Magento stores are affected. Multiple threat actors are actively exploiting this flaw, injecting malicious scripts. The vulnerability allows attackers to steal data and potentially compromise cryptographic keys used for authentication. The app/etc/env.php file, containing sensitive cryptographic keys, is potentially exposed through exploitation. The vulnerability does not require user interaction for exploitation.

Recommendations Upgrade to a version later than 2.4.7-p1 to address this vulnerability.