Active Exploitation of a Critical Vulnerability in Adobe Commerce Products

Adobe has released security updates addressing a critical vulnerability (CVE-2024-34102) in Adobe Commerce products. The vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.8 out of 10 and is reportedly being actively exploited.

Successful exploitation of the improper restriction of XML external entity reference vulnerability could allow an attacker to perform arbitrary code execution by sending a crafted XML document that references external entities.

The critical vulnerability affects the following product versions:

• Adobe Commerce version 2.4.7 and earlier

• Adobe Commerce version 2.4.6-p5 and earlier

• Adobe Commerce version 2.4.5-p7 and earlier

• Adobe Commerce version 2.4.4-p8 and earlier

• Adobe Commerce version 2.4.3-ext-7 and earlier

• Adobe Commerce version 2.4.2-ext-7 and earlier

• Magento Open Source version 2.4.7 and earlier

• Magento Open Source version 2.4.6-p5 and earlier

• Magento Open Source version 2.4.5-p7 and earlier

• Magento Open Source version 2.4.4-p8 and earlier

• Adobe Commerce Webhooks Plugin version 1.2.0 to 1.4.0

Users and administrators of affected product versions are advised to update to the latest version immediately. Additionally, administrators should note that patching to the latest version will not address any prior compromise. Organisations running older versions are also advised to review relevant logs or artifacts for unauthorised access and potential malicious code injection.

More information is available here:

https://helpx.adobe.com/security/products/magento/apsb24-40.html

https://nvd.nist.gov/vuln/detail/CVE-2024-34102

https://bleepingcomputer.com/news/security/over-4-000-adobe-commerce-magento-shops-hacked-in-cosmicsting-attacks/