CVE-2024-23679

EUVD-2024-0245
Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 78%
Affected Products (NVD)
VendorProductVersion
enonicxp
𝑥
< 7.7.4
enonicxp
7.8.0:beta1
enonicxp
7.8.0:beta2
enonicxp
7.8.0:beta3
enonicxp
7.8.0:rc1
enonicxp
7.8.0:rc2
enonicxp
7.8.0:rc3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/advisories/GHSA-4m5p-5w5w-3jcf
https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff
https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4
https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842
https://github.com/enonic/xp/issues/9253
https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf
https://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf
https://github.com/advisories/GHSA-4m5p-5w5w-3jcf
https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff
https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4
https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842
https://github.com/enonic/xp/issues/9253
https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf
https://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf