CVE-2024-23679

Enonic XP Session Fixation Vulnerability

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.

Las versiones de Enonic XP inferiores a 7.7.4 son vulnerables a un problema de reparación de sesión. Un atacante remoto y no autenticado puede utilizar sesiones anteriores debido a la falta de atributos de sesión invalidantes.

*Credits: N/A

CVSS Scores

NISTv3.1 9.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2024-01-19 CVE Reserved
2024-01-19 CVE Published
2024-07-11 EPSS Updated
2024-08-01 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-384: Session Fixation

CAPEC

References (7)

URL	Tag	Source
https://github.com/advisories/GHSA-4m5p-5w5w-3jcf	Third Party Advisory
https://github.com/enonic/xp/issues/9253	Issue Tracking
https://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff	2024-01-26
https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4	2024-01-26
https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842	2024-01-26
https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf	2024-01-26

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Enonic Search vendor "Enonic"		Xp Search vendor "Enonic" for product "Xp"				< 7.7.4 Search vendor "Enonic" for product "Xp" and version " < 7.7.4"		-		Affected
Enonic Search vendor "Enonic"		Xp Search vendor "Enonic" for product "Xp"				7.8.0 Search vendor "Enonic" for product "Xp" and version "7.8.0"		beta1		Affected
Enonic Search vendor "Enonic"		Xp Search vendor "Enonic" for product "Xp"				7.8.0 Search vendor "Enonic" for product "Xp" and version "7.8.0"		beta2		Affected
Enonic Search vendor "Enonic"		Xp Search vendor "Enonic" for product "Xp"				7.8.0 Search vendor "Enonic" for product "Xp" and version "7.8.0"		beta3		Affected
Enonic Search vendor "Enonic"		Xp Search vendor "Enonic" for product "Xp"				7.8.0 Search vendor "Enonic" for product "Xp" and version "7.8.0"		rc1		Affected
Enonic Search vendor "Enonic"		Xp Search vendor "Enonic" for product "Xp"				7.8.0 Search vendor "Enonic" for product "Xp" and version "7.8.0"		rc2		Affected
Enonic Search vendor "Enonic"		Xp Search vendor "Enonic" for product "Xp"				7.8.0 Search vendor "Enonic" for product "Xp" and version "7.8.0"		rc3		Affected