The US cybersecurity agency CISA and Adobe this week warned of a recent Adobe Commerce vulnerability being actively exploited in attacks.
The flaw, tracked as CVE-2024-34102 (CVSS score of 9.8), is described as an improper restriction of XML external entity reference (XXE) bug that could allow attackers to execute arbitrary code.
“An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction,” a NIST advisory reads.
Adobe warned of the security defect on June 11, when it announced patches for Commerce versions 2.4.2 to 2.4.7 and Magento Open Source versions 2.4.4 to 2.4.7. On June 28, the company released an isolated patch targeting the same vulnerability.
On Wednesday, Adobe announced an additional hotfix to address the vulnerability, urging customers to check all production and non-production environments and ensure they are patched properly.
“This is an urgent update related to CVE-2024-34102. Adobe is aware that CVE-2024-34102 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants,” the company said in its advisory.
Adobe recommends that customers apply the June 11 update, apply the new hotfix, and then rotate their encryption keys, or that they apply the isolated patch (which now includes the hotfix) and rotate their encryption keys.
Customers who have already applied the security update and the isolated patch should apply the July 17 hotfix and then rotate their encryption keys. Customers who already rotated the encryption keys after applying the update and the isolated patch still need to apply the hotfix.
On Wednesday, CISA added CVE-2024-34102 to its Known Exploited Vulnerabilities (KEV) catalog, along with CVE-2024-28995 (path traversal in SolarWinds Serv-U) and CVE-2022-22948 (incorrect default file permissions in VMware vCenter Server).
Per Binding Operational Directive (BOD) 22-01, federal agencies have until August 7 to identify and remediate vulnerable instances in their environments.
Website owners and organizations are advised to review CISA’s KEV list and address all identified vulnerabilities as soon as possible.
Related: Critical Authentication Bypass Resolved in GitHub Enterprise Server
Related: Adobe Adds Content Credentials and Firefly to Bug Bounty Program
Related: OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
Related: Adobe Illustrator Vulnerabilities Rated Critical, But Exploitation Not Easy
