CVE-2024-23679

EPSS 1.22%
Veröffentlicht 19.01.2024 21:15:10
Zuletzt bearbeitet 29.11.2025 02:15:51
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 10

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Enonic ≫ Xp Version < 7.7.4

Enonic ≫ Xp Version7.8.0 Updatebeta1

Enonic ≫ Xp Version7.8.0 Updatebeta2

Enonic ≫ Xp Version7.8.0 Updatebeta3

Enonic ≫ Xp Version7.8.0 Updaterc1

Enonic ≫ Xp Version7.8.0 Updaterc2

Enonic ≫ Xp Version7.8.0 Updaterc3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.22%	0.785

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-384 Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

https://github.com/advisories/GHSA-4m5p-5w5w-3jcf

Third Party Advisory

https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff

Patch

https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4

Patch

https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842

Patch

https://github.com/enonic/xp/issues/9253

Issue Tracking

https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf

Patch