Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.
An attacker sends a crafted XML document containing references to external XML entities (XML External Entity). The application processes this document without appropriate restrictions, allowing the reading of system files, execution of requests to internal resources, or escalation to full code execution. The vulnerability is remotely accessible without requiring an account or any user interaction.
An attacker can gain full control of the server through arbitrary code execution (RCE), as well as compromise the confidentiality, integrity, and availability of the system.
Patches available from the vendor should be applied immediately in accordance with Adobe security bulletin APSB24-40 (https://helpx.adobe.com/security/products/magento/apsb24-40.html).
Adobe Commerce in versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAdobe Commerce
APPAdobe2.4.22.4.32.4.42.4.52.4.62.4.7Adobe Commerce Webhooks
APPAdobe1.2.0 – 1.5.0 (bez)Adobe Magento
APPAdobe2.4.42.4.52.4.62.4.7
CISA KEV — detailsi
- Vendori
- Adobe ↗
- Producti
- Commerce and Magento Open Source
- Added to KEVi
- July 17, 2024
- Remediation deadline (US Federal)i
- August 7, 2024(overdue)
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Adobe Commerce and Magento Open Source contain an improper restriction of XML external entity reference (XXE) vulnerability that allows for remote code execution.
Related vulnerabilities
Adobe Commerce/Magento — przejęcie sesji przez Improper Input Validation
Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input va...
Adobe Commerce — Incorrect Authorization umożliwiające privilege escalation
Adobe Commerce — nieprawidłowe uwierzytelnienie umożliwiające privilege escalation
Adobe Commerce — RCE poprzez nieograniczony upload niebezpiecznych plików