CVE-2024-34102— Adobe Commerce 代码问题漏洞
公开利用映射 3
Metasploit · 2 magento_xxe_to_glibc_buf_overflow.rb#CVE-2024-34102 [exploit] magento_xxe_cve_2024_34102.rb [auxiliary]
Nuclei · 1 CVE-2024-34102.yaml [template]
已观察到在野利用 cisa_kev · confirmed
获取后续新漏洞提醒登录后订阅
一、 漏洞 CVE-2024-34102 基础信息
漏洞信息
对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗ 尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
XXE can expose crypt key and other secrets granting full admin access
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.
来源: 美国国家漏洞数据库 NVD
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
XML外部实体引用的不恰当限制(XXE)
来源: 美国国家漏洞数据库 NVD
Vulnerability Title
Adobe Commerce 代码问题漏洞
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Description
Adobe Commerce是美国奥多比(Adobe)公司的一种面向商家和品牌的全球领先的数字商务解决方案。 Adobe Commerce 存在代码问题漏洞,该漏洞源于受到不正确的 XML 外部实体引用 ( XXE ) 限制漏洞的影响,该漏洞可能导致任意代码执行。
来源: 中国国家信息安全漏洞库 CNNVD
CVSS Information
N/A
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Type
N/A
来源: 中国国家信息安全漏洞库 CNNVD
受影响产品
| 厂商 | 产品 | 影响版本 | CPE | 订阅 |
|---|---|---|---|---|
| Adobe | Adobe Commerce | 0 ~ 2.4.4-p8 | - |
二、漏洞 CVE-2024-34102 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|---|---|---|
| 1 | CVE-2024-34102 unauthenticated RCE PoC for Magento/adobe commerce | https://github.com/ex-arny/CVE-2024-34102-RCE | POC详情 |
| 2 | None | https://github.com/ArturArz1/TestCVE-2024-34102 | POC详情 |
| 3 | CVE-2024-34102: Unauthenticated Magento XXE | https://github.com/th3gokul/CVE-2024-34102 | POC详情 |
| 4 | POC for CVE-2024-34102. A pre-authentication XML entity injection issue in Magento / Adobe Commerce. | https://github.com/bigb0x/CVE-2024-34102 | POC详情 |
| 5 | CVE-2024-34102 unauthenticated RCE PoC for Magento/adobe commerce | https://github.com/dr3u1d/CVE-2024-34102-RCE | POC详情 |
| 6 | None | https://github.com/11whoami99/CVE-2024-34102 | POC详情 |
| 7 | A PoC demonstration , critical XML entity injection vulnerability in Magento | https://github.com/d0rb/CVE-2024-34102 | POC详情 |
| 8 | CosmicSting (CVE-2024-34102) | https://github.com/Chocapikk/CVE-2024-34102 | POC详情 |
| 9 | TEST CVE-2024-34102 Magento XXE | https://github.com/cmsec423/CVE-2024-34102 | POC详情 |
| 10 | Magento XXE (CVE-2024-34102) | https://github.com/0x0d3ad/CVE-2024-34102 | POC详情 |
| 11 | None | https://github.com/cmsec423/Magento-XXE-CVE-2024-34102 | POC详情 |
| 12 | CosmicSting: critical unauthenticated XXE vulnerability in Adobe Commerce and Magento (CVE-2024-34102) | https://github.com/jakabakos/CVE-2024-34102-CosmicSting-XXE-in-Adobe-Commerce-and-Magento | POC详情 |
| 13 | None | https://github.com/0xhunster/CVE-2024-34102 | POC详情 |
| 14 | CosmicSting (CVE-2024-34102) POC / Patch Validator | https://github.com/SamJUK/cosmicsting-validator | POC详情 |
| 15 | poc for CVE-2024-34102 | https://github.com/unknownzerobit/poc | POC详情 |
| 16 | CVE-2024-34102 unauthenticated RCE PoC for Magento/adobe commerce | https://github.com/Ex-Arn/CVE-2024-34102-RCE | POC详情 |
| 17 | Burp Extension to test for CVE-2024-34102 | https://github.com/crynomore/CVE-2024-34102 | POC详情 |
| 18 | CVE-2024-34102 unauthenticated RCE PoC for Magento/adobe commerce | https://github.com/1mpl3ment3d/CVE-2024-34102-RCE-POC | POC详情 |
| 19 | Exploitation CVE-2024-34102 | https://github.com/bughuntar/CVE-2024-34102 | POC详情 |
| 20 | CVE-2024-34102 Exploiter based on Python | https://github.com/bughuntar/CVE-2024-34102-Python | POC详情 |
| 21 | None | https://github.com/Phantom-IN/CVE-2024-34102 | POC详情 |
| 22 | CVE-2024-34102 unauthenticated RCE PoC for Magento/adobe commerce and (NEW 0DAY)? | https://github.com/ex-ARnX/CVE-2024-34102-PoC | POC详情 |
| 23 | CVE-2024-34102 unauthenticated RCE PoC for Magento/adobe commerce | https://github.com/etx-Arn/CVE-2024-34102-RCE | POC详情 |
| 24 | CVE-2024-34102 unauthenticated RCE PoC for Magento/adobe commerce | https://github.com/etx-Arn/CVE-2024-34102-RCE-PoC | POC详情 |
| 25 | Magento 2 patch for CVE-2024-34102(aka CosmicSting). Another way(as an extension) to hotfix the security hole if you cannot apply the official patch or cannot upgrade Magento. | https://github.com/wubinworks/magento2-cosmic-sting-patch | POC详情 |
| 26 | PoC for CVE-2024-34102 | https://github.com/EQSTSeminar/CVE-2024-34102 | POC详情 |
| 27 | adobe commerce | https://github.com/Jhonsonwannaa/CVE-2024-34102 | POC详情 |
| 28 | PoC for CVE-2024-34102 | https://github.com/EQSTLab/CVE-2024-34102 | POC详情 |
| 29 | None | https://github.com/bka/magento-cve-2024-34102-exploit-cosmicstring | POC详情 |
| 30 | adobe commerce | https://github.com/dream434/CVE-2024-34102 | POC详情 |
| 31 | A utility for Magento 2 encryption key rotation and management. CVE-2024-34102(aka Cosmic Sting) victims can use it as an aftercare. | https://github.com/wubinworks/magento2-encryption-key-manager-cli | POC详情 |
| 32 | None | https://github.com/mksundaram69/CVE-2024-34102 | POC详情 |
| 33 | None | https://github.com/Koray123-debug/CVE-2024-34102 | POC详情 |
| 34 | Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-34102.yaml | POC详情 |
| 35 | None | https://github.com/Kento-Sec/CVE-2024-34102 | POC详情 |
| 36 | CVE-2024-34102 exploit for python3 | https://github.com/nmmorette/CVE-2024-34102 | POC详情 |
AI 生成 POC高级
未找到公开 POC。
登录以生成 AI POC三、漏洞 CVE-2024-34102 的情报信息
请登录查看更多情报信息。
CVE-2024-34102 厂商安全公告 (1)
CVE-2024-34102 安全博客文章 (1)
同批安全公告 · Adobe · 2024-06-13 · 共 165 条
| CVE-2024-30299 | 10.0 CRITICAL | Adobe Framemaker 授权问题漏洞 |
| CVE-2024-30300 | 9.8 CRITICAL | Adobe Framemaker 信息泄露漏洞 |
| CVE-2024-34108 | 9.1 CRITICAL | Adobe Commerce 输入验证错误漏洞 |
| CVE-2024-34104 | 8.2 HIGH | Adobe Commerce 授权问题漏洞 |
| CVE-2024-34103 | 8.1 HIGH | Adobe Commerce 安全漏洞 |
| CVE-2024-34115 | 7.8 HIGH | Adobe Substance 3D Stager 缓冲区错误漏洞 |
| CVE-2024-20753 | 7.8 HIGH | Adobe Photoshop 缓冲区错误漏洞 |
| CVE-2024-26029 | 7.5 HIGH | Adobe Experience Manager 访问控制错误漏洞 |
| CVE-2024-34129 | 7.5 HIGH | Adobe Acrobat Mobile Sign Android 路径遍历漏洞 |
| CVE-2024-34112 | 7.5 HIGH | Adobe ColdFusion 访问控制错误漏洞 |
| CVE-2024-34109 | 7.2 HIGH | Adobe Commerce 输入验证错误漏洞 |
| CVE-2024-34110 | 7.2 HIGH | Adobe Commerce 代码问题漏洞 |
| CVE-2024-34116 | 7.1 HIGH | Adobe Creative Cloud Desktop Application 代码问题漏洞 |
| CVE-2024-34111 | 6.5 MEDIUM | Adobe Commerce 安全漏洞 |
| CVE-2024-34130 | 5.5 MEDIUM | Adobe Acrobat Mobile Sign Android 安全漏洞 |
| CVE-2024-30276 | 5.5 MEDIUM | Adobe Audition 缓冲区错误漏洞 |
| CVE-2024-30285 | 5.5 MEDIUM | Adobe Audition 代码问题漏洞 |
| CVE-2024-34113 | 5.5 MEDIUM | Adobe ColdFusion 安全漏洞 |
| CVE-2024-30278 | 5.5 MEDIUM | Adobe Media Encoder 缓冲区错误漏洞 |
| CVE-2024-26072 | 5.4 MEDIUM | Adobe Experience Manager 跨站脚本漏洞 |
显示前 20 条,共 165 条。 查看全部 → →
IV. Related Vulnerabilities
V. Comments for CVE-2024-34102
暂无评论