9.8

CVE-2024-23679

Enonic XP Session Fixation Vulnerability

Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
EnonicXp Version < 7.7.4
EnonicXp Version7.8.0 Updatebeta1
EnonicXp Version7.8.0 Updatebeta2
EnonicXp Version7.8.0 Updatebeta3
EnonicXp Version7.8.0 Updaterc1
EnonicXp Version7.8.0 Updaterc2
EnonicXp Version7.8.0 Updaterc3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.84% 0.529
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-384 Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

https://github.com/advisories/GHSA-4m5p-5w5w-3jcf
Third Party Advisory
https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff
Patch
https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4
Patch
https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842
Patch
https://github.com/enonic/xp/issues/9253
Issue Tracking
https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf
Patch
Vendor Advisory
https://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf
Third Party Advisory