CVE-2024-23679

CRITICAL

Enonic XP <7.7.4 - Info Disclosure

Title source: llm

Description

Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.

References (7)

[Patch, Vendor Advisory] https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf

[Issue Tracking] https://github.com/enonic/xp/issues/9253

[Patch] https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff

[Patch] https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4

[Patch] https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842

View Patch ZIP pw:eip

[Third Party Advisory] https://github.com/advisories/GHSA-4m5p-5w5w-3jcf

[Third Party Advisory] https://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf

Scores

CVSS v3 9.8

EPSS 0.0122

EPSS Percentile 79.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-384

Status published

Products (3)

com.enonic.xp/lib-auth 0 - 7.7.4Maven

enonic/xp 7.8.0 beta1 (6 CPE variants)

enonic/xp < 7.7.4

Published Jan 19, 2024

Tracked Since Feb 18, 2026