漏洞描述
Magento是一款开源的电子商务平台,广泛应用于在线商店和电子商务网站。该漏洞存在于接口/rest/all/V1/guest-carts/test-assetnote/estimate-shipping-methods中,攻击者可以通过构造恶意的XML数据触发XXE(XML外部实体)注入漏洞,从而读取服务器上的任意文件或发起外部请求,可能导致敏感信息泄露。
Magento /rest/all/V1/guest-carts/test-assetnote/estimate-shipping-methods XML 外部实体注入漏洞(CVE-2024-34102)
PoC代码
暂无相关漏洞推荐
- Adobe Commerce/Magento SessionReaper /customer/address_file/upload 文件上传漏洞(CVE-2025-54236)
- POC CVE-2015-2067: Magento Server MAGMI - Directory Traversal
- POC CVE-2015-2068: Magento Server Mass Importer - Cross-Site Scripting
- POC CVE-2019-7139: Magento - SQL Injection
- POC CVE-2020-5777: Magento Mass Importer <0.7.24 - Remote Auth Bypass
- POC CVE-2024-34102: Adobe Commerce & Magento - CosmicSting
- POC CVE-2022-3481: NotificationX Dropshipping < 4.4 - SQL Injection
- POC magento-config-disclosure: Magento Configuration Panel - Detect
- POC magento-installer: Magento Installation Wizard
- POC magento-cacheleak: Magento Cacheleak
- POC magento-unprotected-dev-files: Magento Unprotected development files
- POC CVE-2022-24086: Adobe Commerce (Magento) - Remote Code Execution
- Adobe Commerce CVE-2024-34102 XML外部实体注入漏洞