CVE-2024-23679

critical

Description

Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.

References

https://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf

https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf

https://github.com/enonic/xp/issues/9253

https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842

https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4

https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff

https://github.com/advisories/GHSA-4m5p-5w5w-3jcf

Details

Source: Mitre, NVD

Published: 2024-01-19

Updated: 2024-01-26

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H