XML External Entity (XXE) Injection

2024-06-1405:45:18

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

xml external entity injection

magento

security vulnerability

code execution

crafted xml document

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.4 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

39.2%

JSON

magento/community-edition is vulnerabile to XML External Entity (XXE) Injection. The vulnerability is due to improper handling of XML documents which allows for external entities to be referenced, leading to potential arbitrary code execution. An attacker can exploit this by sending a crafted XML document that includes external entity references.

CPENameOperatorVersion
magento/community-editioneq2.4.7
magento/community-editioneq2.4.4
magento/community-editioneq2.4.6
magento/community-editioneq2.4.5
magento/community-editionle2.4.7-beta3
magento/community-editionle2.4.6-p5
magento/community-editionle2.4.4-p8
magento/community-editionle2.4.5-p7
magento/community-editioneq2.4.7
magento/community-editioneq2.4.4

Name	Operator	Version
magento/community-edition	eq	2.4.7
magento/community-edition	eq	2.4.4
magento/community-edition	eq	2.4.6
magento/community-edition	eq	2.4.5
magento/community-edition	le	2.4.7-beta3
magento/community-edition	le	2.4.6-p5
magento/community-edition	le	2.4.4-p8
magento/community-edition	le	2.4.5-p7
magento/community-edition	eq	2.4.7
magento/community-edition	eq	2.4.4