CVE-2024-34102
XXE can expose crypt key and other secrets granting full admin access
CVSS Score
9.8
EPSS Score
0.0%
EPSS Percentile
0th
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.
| CWE | CWE-611 |
| Vendor | adobe |
| Product | adobe commerce |
| Ecosystems | |
| Industries | TechnologyMedia |
| Published | Jun 13, 2024 |
| Last Updated | Oct 21, 2025 |
โ ๏ธ Actively Exploited โ Act Now
Get instant alerts for adobe adobe commerce
This vulnerability is actively exploited in the wild. Set up free real-time alerts so you're first to know about threats like CVE-2024-34102.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
Adobe / Adobe Commerce
0 โค 2.4.4-p8
References
helpx.adobe.com: https://helpx.adobe.com/security/products/magento/apsb24-40.html vicarius.io: https://www.vicarius.io/vsociety/posts/cosmicsting-critical-unauthenticated-xxe-vulnerability-in-adobe-commerce-and-magento-cve-2024-34102 cisa.gov: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-34102