Detections
Analytics

Adobe Commerce/Magento XXE Vulnerability (APSB24-40)

critical Nessus Plugin ID 255220

Language:

Synopsis

The Adobe Commerce/Magento Open Source instance installed on the remote host is affected by a XXE Vulnerability.

Description

The version of Adobe Commerce/Magento Open Source installed on the remote host falls within one of the following ranges 2.4.7 < 2.4.7-p1 (Adobe Commerce) / 2.4.6 < 2.4.6-p6 (Adobe Commerce) / 2.4.5 < 2.4.5-p8 (Adobe Commerce) / 2.4.4 < 2.4.4-p9 (Adobe Commerce) / 2.4.3 < 2.4.3-ext-8 (Adobe Commerce) / 2.4.2 < 2.4.2-ext-8 (Adobe Commerce) / 2.4.7 < 2.4.7-p1 (Magento Open Source) / 2.4.6 < 2.4.6-p6 (Magento Open Source) / 2.4.5 < 2.4.5-p8 (Magento Open Source) and 2.4.4 < 2.4.4-p9 (Magento Open Source)

It is, therefore, affected by a XXE vulnerability as referenced in the APSB24-40 advisory.

 - Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction. (CVE-2024-34102)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Adobe Commerce/Magento Open Source version as advised

See Also

http://www.nessus.org/u?141adee4

Plugin Details

Severity: Critical

ID: 255220

File Name: adobe_commerce_apsb24-40-paranoid.nasl

Version: 1.1

Type: local

Agent: unix

Family: Misc.

Published: 8/26/2025

Updated: 8/26/2025

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-34102

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:adobe:commerce, cpe:/a:adobe:magento

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/11/2024

Vulnerability Publication Date: 6/11/2024

CISA Known Exploited Vulnerability Due Dates: 8/7/2024

Exploitable With

Metasploit (CosmicSting: Magento Arbitrary File Read (CVE-2024-34102) + PHP Buffer Overflow in the iconv() function of glibc (CVE-2024-2961))

Reference Information

CVE: CVE-2024-34102