{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3aadobecommerce2.4.2ext-2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:adobe:commerce:2.4.2:-:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.2:ext-1:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.2:ext-2:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.2:ext-3:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.2:ext-4:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.2:ext-7:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.3:-:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.3:ext-1:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.3:ext-2:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.3:ext-3:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.3:ext-4:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.3:ext-7:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.4:-:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.4:p1:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.4:p2:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.4:p3:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.4:p4:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.4:p5:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.4:p6:*:*:*:*:*:*","cpe:2.3:a:adobe:commerce:2.4.4:p8:*:*:*:*:*:*"],"_cs_cves":[{"cvss":9.8,"id":"CVE-2024-34102"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Commerce"],"_cs_severities":["critical"],"_cs_tags":["cve-2024-34102","xxe","adobe commerce","magento"],"_cs_type":"advisory","_cs_vendors":["Adobe"],"content_html":"\u003cp\u003eA public exploit, dubbed \u0026ldquo;CosmicSting\u0026rdquo;, has been published on Sploitus, targeting CVE-2024-34102, an XML External Entity (XXE) Injection vulnerability in Adobe Commerce (Magento). This vulnerability affects versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier. The exploit allows unauthenticated attackers to perform remote file reads, Server-Side Request Forgery (SSRF), and potentially achieve Remote Code Execution (RCE). The exploit suite includes attack vectors targeting various REST endpoints and direct path access to sensitive files. The availability of a working exploit increases the risk to unpatched Adobe Commerce systems significantly, as attackers can now easily leverage this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends a crafted HTTP request to one of the vulnerable Adobe Commerce REST endpoints, such as \u003ccode\u003e/rest/V1/guest-carts/{id}/estimate-shipping-methods\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe HTTP request contains a malicious XML payload designed to exploit the XXE vulnerability (CVE-2024-34102).\u003c/li\u003e\n\u003cli\u003eThe Adobe Commerce application processes the XML payload without proper sanitization of external entity references.\u003c/li\u003e\n\u003cli\u003eThe application attempts to resolve the external entity, leading to either local file read, or SSRF.\u003c/li\u003e\n\u003cli\u003eIf the attacker leverages local file read, sensitive files such as \u003ccode\u003eapp/etc/env.php\u003c/code\u003e (containing database credentials and encryption keys) or \u003ccode\u003e/etc/passwd\u003c/code\u003e (for user enumeration) are targeted.\u003c/li\u003e\n\u003cli\u003eIf the attacker leverages SSRF, they can interact with internal services or external websites on behalf of the server.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation allows the attacker to extract sensitive information, potentially leading to further compromise.\u003c/li\u003e\n\u003cli\u003eIn some scenarios, the attacker may be able to leverage the XXE vulnerability to achieve Remote Code Execution (RCE) by chaining it with other vulnerabilities or misconfigurations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2024-34102 can lead to sensitive information disclosure, including database credentials, encryption keys, and system user information. The vulnerability can also be leveraged for Server-Side Request Forgery (SSRF), allowing attackers to interact with internal services. In certain scenarios, Remote Code Execution (RCE) may be possible, potentially allowing complete control over the affected Adobe Commerce instance. The impact is high, with a CVSS score of 9.8, and affects multiple versions of Adobe Commerce.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patches provided by Adobe to address CVE-2024-34102 on all Adobe Commerce instances.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Adobe Commerce XXE via Guest Cart Endpoint\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the identified REST endpoints (\u003ccode\u003e/rest/V1/guest-carts/{id}/estimate-shipping-methods\u003c/code\u003e, \u003ccode\u003e/rest/all/V1/guest-carts/{id}/estimate-shipping-methods\u003c/code\u003e, \u003ccode\u003e/rest/V1/guest-carts/{id}/billing-address\u003c/code\u003e, \u003ccode\u003e/rest/V1/orders\u003c/code\u003e, \u003ccode\u003e/rest/V1/order\u003c/code\u003e) to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-25T18:02:02Z","date_published":"2026-05-25T18:02:02Z","id":"https://feed.craftedsignal.io/briefs/2026-05-adobe-commerce-xxe/","summary":"A public exploit, named CosmicSting, has been released for CVE-2024-34102, an XML External Entity (XXE) Injection vulnerability in Adobe Commerce allowing for unauthenticated remote file read, SSRF, and potential RCE.","title":"Adobe Commerce XXE Vulnerability (CVE-2024-34102) Exploit Released","url":"https://feed.craftedsignal.io/briefs/2026-05-adobe-commerce-xxe/"}],"language":"en","title":"CraftedSignal Threat Feed — Cpe:2.3:a:adobe:commerce:2.4.2:ext-2:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}