Improper XML External Entity Reference in Adobe Commerce (XXE)
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier have a vulnerability. This vulnerability is called Improper Restriction of XML External Entity Reference (XXE). It can lead to arbitrary code execution. An attacker can exploit this by sending a crafted XML document with external references. No user interaction is needed to exploit this vulnerability.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
adobe commerce 2.4.2 |
||
adobe commerce 2.4.3 |
||
adobe commerce 2.4.4 |
||
adobe commerce 2.4.5 |
||
adobe commerce 2.4.6 |
||
adobe commerce 2.4.7 |
||
adobe commerce webhooks |
||
adobe magento 2.4.4 |
||
adobe magento 2.4.5 |
||
adobe magento 2.4.6 |
||
adobe magento 2.4.7 |
Hackers inject malicious JS in Cisco store to steal credit cards, credentials By Ionut Ilascu September 4, 2024 11:48 AM 0 Cisco’s site for selling company-themed merchandise is currently offline and under maintenance due to hackers compromising it with JavaScript code that steals sensitive customer details provided at checkout. Cisco’s site for selling company-themed merchandise is currently offline and under maintenance due to a compromise with JavaScript code that steals sensitive details...
CosmicSting flaw impacts 75% of Adobe Commerce, Magento sites By Bill Toulas June 20, 2024 04:02 PM 0 A vulnerability dubbed "CosmicSting" impacting Adobe Commerce and Magento websites remains largely unpatched nine days after the security update has been made available, leaving millions of sites open to catastrophic attacks. According to Sansec's stats, roughly three out of four websites using the impacted e-commerce platforms have not patched against CosmicSting, which puts them at risk of XML...
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources The 'security issue' was caused by a 9.8-rated Magento flaw Adobe patched back in June
Bad news for anyone who purchased a Cisco hoodie earlier this month: Suspected Russia-based attackers injected data-stealing JavaScript into the networking giant's online store selling Cisco-branded merch. Cisco has since fixed the issue caused by a flaw in Adobe's Magento platform, which could have allowed crooks to steal shoppers' credit card details and other sensitive information at checkout. "A Cisco-branded merchandise website that's hosted and administered by a third-party supplier was te...
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Gangs hit 5% of all Adobe Commerce, Magento-powered stores, Sansec says
Ray-Ban, National Geographic, Whirlpool, and Segway are among thousands of brands whose web stores were reportedly compromised by criminals exploiting the CosmicSting flaw in hope of stealing shoppers' payment card info as they order stuff online. CosmicSting is the name for a critical vulnerability, CVE-2024-34102, in Adobe's Commerce and Magento software, and can be used to tamper with the pages of sites so that user data can quietly siphoned. At least seven cybercrime gangs are said to be beh...