Critical severityCISA KEVNVD Advisory· Published Jun 13, 2024· Updated Oct 21, 2025
XXE can expose crypt key and other secrets granting full admin access
CVE-2024-34102
Description
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p6 | 2.4.6-p6 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p8 | 2.4.5-p8 |
magento/community-editionPackagist | < 2.4.4-p9 | 2.4.4-p9 |
Affected products
3- osv-coords2 versions
>= 2.4.7-alpha0, < 2.4.7-p1+ 1 more
- (no CPE)range: >= 2.4.7-alpha0, < 2.4.7-p1
- (no CPE)
- Range: 0
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-m8cj-3v68-3cxjghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb24-40.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-34102ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2024-34102.yamlghsaWEB
- github.com/magento/magento2/commit/30877fce83b793f71421c47347885cf076e81799ghsaWEB
- github.com/magento/magento2/commit/a3c6d6e5e95e63031e4df26cfcf76feace7549c2ghsaWEB
- github.com/magento/magento2/commit/c5c538810b87449886f4669cb8abbe8e5593c83cghsaWEB
- github.com/magento/magento2/commit/d10435b11ada4e502dca7539f8fd31d059d3c482ghsaWEB
- www.vicarius.io/vsociety/posts/cosmicsting-critical-unauthenticated-xxe-vulnerability-in-adobe-commerce-and-magento-cve-2024-34102ghsaWEB
News mentions
0No linked articles in our index yet.