CVE-2024-23679 - Vulnerability Details

- Enonic XP Session Fixation Vulnerability

Description

Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.

Published: 2024-01-19

Score: 9.8 Critical

EPSS: 1.2% Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

unaffected

Version	Status	Constraints
`0`	affected	< 7.7.4

Configuration 1 [-]

OR	cpe:2.3:a:enonic:xp::::::::
	cpe:2.3:a:enonic:xp:7.8.0:beta1::::::
	cpe:2.3:a:enonic:xp:7.8.0:beta2::::::
	cpe:2.3:a:enonic:xp:7.8.0:beta3::::::
	cpe:2.3:a:enonic:xp:7.8.0:rc1::::::
	cpe:2.3:a:enonic:xp:7.8.0:rc2::::::
	cpe:2.3:a:enonic:xp:7.8.0:rc3::::::

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-4hrp-m3f2-643j	Session fixation in Enonic XP
Github GHSA	GHSA-4m5p-5w5w-3jcf	com.enonic.xp:lib-auth vulnerable to Session Fixation

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01219.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://github.com/advisories/GHSA-4m5p-5w5w-3jcf
https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff
https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4
https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842
https://github.com/enonic/xp/issues/9253
https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf
https://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf

History

Sat, 29 Nov 2025 02:00:00 +0000

Type	Values Removed	Values Added
Description	Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.	Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.

Fri, 30 May 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Subscriptions

Enonic Xp

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2024-01-19T20:23:03.781Z

Updated: 2025-11-29T01:24:39.747Z

Reserved: 2024-01-19T17:35:09.984Z

Link: CVE-2024-23679

Vulnrichment

Updated: 2024-08-01T23:06:25.362Z

NVD

Status : Modified

Published: 2024-01-19T21:15:10.073

Modified: 2025-11-29T02:15:51.267

Link: CVE-2024-23679

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-384

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object