First published: Thu Jun 13 2024(Updated: )
Adobe Commerce and Magento Open Source contain an improper restriction of XML external entity reference (XXE) vulnerability that allows for remote code execution.
Credit: psirt@adobe.com psirt@adobe.com
Affected Software | Affected Version | How to fix |
---|---|---|
composer/magento/community-edition | =2.4.7 | |
composer/magento/community-edition | =2.4.6 | |
composer/magento/community-edition | =2.4.5 | |
composer/magento/community-edition | <2.4.4-p9 | 2.4.4-p9 |
composer/magento/community-edition | >=2.4.5-p1<2.4.5-p8 | 2.4.5-p8 |
composer/magento/community-edition | >=2.4.6-p1<2.4.6-p6 | 2.4.6-p6 |
composer/magento/community-edition | =2.4.4 | |
IBM Cognos Analytics | <=12.0.0-12.0.3 | |
IBM Cognos Analytics | <=11.2.0-11.2.4 FP4 | |
Adobe Magento | ||
Adobe Magento Commerce | =2.4.2 | |
Adobe Magento Commerce | =2.4.2-ext-1 | |
Adobe Magento Commerce | =2.4.2-ext-2 | |
Adobe Magento Commerce | =2.4.2-ext-3 | |
Adobe Magento Commerce | =2.4.2-ext-4 | |
Adobe Magento Commerce | =2.4.2-ext-7 | |
Adobe Magento Commerce | =2.4.3 | |
Adobe Magento Commerce | =2.4.3-ext-1 | |
Adobe Magento Commerce | =2.4.3-ext-2 | |
Adobe Magento Commerce | =2.4.3-ext-3 | |
Adobe Magento Commerce | =2.4.3-ext-4 | |
Adobe Magento Commerce | =2.4.3-ext-7 | |
Adobe Magento Commerce | =2.4.4 | |
Adobe Magento Commerce | =2.4.4-p1 | |
Adobe Magento Commerce | =2.4.4-p2 | |
Adobe Magento Commerce | =2.4.4-p3 | |
Adobe Magento Commerce | =2.4.4-p4 | |
Adobe Magento Commerce | =2.4.4-p5 | |
Adobe Magento Commerce | =2.4.4-p6 | |
Adobe Magento Commerce | =2.4.4-p8 | |
Adobe Magento Commerce | =2.4.5 | |
Adobe Magento Commerce | =2.4.5-p1 | |
Adobe Magento Commerce | =2.4.5-p2 | |
Adobe Magento Commerce | =2.4.5-p3 | |
Adobe Magento Commerce | =2.4.5-p4 | |
Adobe Magento Commerce | =2.4.5-p5 | |
Adobe Magento Commerce | =2.4.5-p7 | |
Adobe Magento Commerce | =2.4.6 | |
Adobe Magento Commerce | =2.4.6-p1 | |
Adobe Magento Commerce | =2.4.6-p2 | |
Adobe Magento Commerce | =2.4.6-p3 | |
Adobe Magento Commerce | =2.4.6-p5 | |
Adobe Magento Commerce | =2.4.7 | |
Adobe Commerce | >=1.2.0<1.5.0 | |
Magento | =2.4.4 | |
Magento | =2.4.4-p1 | |
Magento | =2.4.4-p2 | |
Magento | =2.4.4-p3 | |
Magento | =2.4.4-p4 | |
Magento | =2.4.4-p5 | |
Magento | =2.4.4-p6 | |
Magento | =2.4.4-p7 | |
Magento | =2.4.4-p8 | |
Magento | =2.4.5 | |
Magento | =2.4.5-p1 | |
Magento | =2.4.5-p2 | |
Magento | =2.4.5-p3 | |
Magento | =2.4.5-p4 | |
Magento | =2.4.5-p5 | |
Magento | =2.4.5-p6 | |
Magento | =2.4.5-p7 | |
Magento | =2.4.6 | |
Magento | =2.4.6-p1 | |
Magento | =2.4.6-p2 | |
Magento | =2.4.6-p3 | |
Magento | =2.4.6-p4 | |
Magento | =2.4.6-p5 | |
Magento | =2.4.7 | |
Magento | =2.4.7-b1 |
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2024-34102 is considered a critical vulnerability as it allows for remote code execution.
To mitigate CVE-2024-34102, upgrade Adobe Commerce or Magento Open Source to version 2.4.4-p9 or later.
CVE-2024-34102 affects Adobe Commerce and Magento Open Source versions 2.4.2 to 2.4.7.
CVE-2024-34102 is classified as an improper restriction of XML external entity reference (XXE) vulnerability.
Yes, CVE-2024-34102 can lead to data breaches as it allows attackers to execute arbitrary code on the affected systems.