Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-34102 PoC — XXE can expose crypt key and other secrets granting full admin access

Source
https://github.com/SamJUK/cosmicsting-validator
Associated Vulnerability
Title:XXE can expose crypt key and other secrets granting full admin access (CVE-2024-34102)
Description:Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.
Description
CosmicSting (CVE-2024-34102) POC / Patch Validator
Readme
A [Cosmicsting POC](https://github.com/Chocapikk/CVE-2024-34102), with a bash script to check all of our hosted sites to confirm the patch.

This repository is provided to allow store owners / hosts to confirm the patch is applied on stores. Within `check.bash` add domains to the `SITES` list.

[https://www.sdj.pw/posts/magento2-cosmic-sting-check/](https://www.sdj.pw/posts/magento2-cosmic-sting-check/)

[https://cosmicsting.samdjames.uk/](Online Validator https://cosmicsting.samdjames.uk/)

## Usage
```sh
# Create a python vitual environment for the project
python -m venv venv

# Install the requirements
pip install -r requirements.txt

# Run the bulk validator script
./z_validate sites/example.txt
./z_validate sites/acme.txt

# Run the POC against a single URL
./poc.py -u https://samdjames.uk

# For unpatched sites, run a very BASIC compromised check (dump script srcs)
# And run a diff against old detected scripts each execution
./z_compromise_check sites/example.txt
```
File Snapshot

 [4.0K]  /data/pocs/977927eb4c3e6d79a287abc66df678bad1c91cff
├── [ 505]  check.bash
├── [6.3K]  poc.py
├── [ 989]  README.md
├── [  50]  requirements.txt
├── [ 361]  scripts.py
├── [4.0K]  sites
│   └── [  49]  example.txt
├── [ 560]  z_compromise_check
└── [ 355]  z_validate

1 directory, 8 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →