Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-34102 PoC — XXE can expose crypt key and other secrets granting full admin access

Source
https://github.com/0x0d3ad/CVE-2024-34102
Associated Vulnerability
Title:XXE can expose crypt key and other secrets granting full admin access (CVE-2024-34102)
Description:Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.
Description
Magento XXE (CVE-2024-34102)
Readme
# CVE-2024-34102


### Usage

```bash
python3 CVE-2024-34102.py -h

optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     Target URL
  -ip IP, --ip IP       Your IP address
  -p PORT, --port PORT  Port for HTTP server
  -f FILE, --file FILE  Path to the file to be included in the POC
```

![POC](POC/1.png)

![POC](POC/2.png)
File Snapshot

 [4.0K]  /data/pocs/1bd4409b04e49c2f524bddbbfd09f41178bdccbd
├── [5.4K]  CVE-2024-34102.py
├── [4.0K]  POC
│   ├── [135K]  1.png
│   └── [ 40K]  2.png
└── [ 373]  README.md

1 directory, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →