Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.
References
Link | Resource |
---|---|
https://github.com/advisories/GHSA-4m5p-5w5w-3jcf | Third Party Advisory |
https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff | Patch |
https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4 | Patch |
https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842 | Patch |
https://github.com/enonic/xp/issues/9253 | Issue Tracking |
https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf | Patch Vendor Advisory |
https://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
26 Jan 2024, 19:12
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:enonic:xp:7.8.0:beta1:*:*:*:*:*:* cpe:2.3:a:enonic:xp:7.8.0:beta2:*:*:*:*:*:* cpe:2.3:a:enonic:xp:7.8.0:rc2:*:*:*:*:*:* cpe:2.3:a:enonic:xp:7.8.0:beta3:*:*:*:*:*:* cpe:2.3:a:enonic:xp:*:*:*:*:*:*:*:* cpe:2.3:a:enonic:xp:7.8.0:rc3:*:*:*:*:*:* cpe:2.3:a:enonic:xp:7.8.0:rc1:*:*:*:*:*:* |
|
References | () https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4 - Patch | |
References | () https://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf - Third Party Advisory | |
References | () https://github.com/advisories/GHSA-4m5p-5w5w-3jcf - Third Party Advisory | |
References | () https://github.com/enonic/xp/issues/9253 - Issue Tracking | |
References | () https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf - Patch, Vendor Advisory | |
References | () https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff - Patch | |
References | () https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842 - Patch | |
CWE | CWE-384 | |
First Time |
Enonic xp
Enonic |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
19 Jan 2024, 22:52
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-01-19 21:15
Updated : 2024-02-28 20:54
NVD link : CVE-2024-23679
Mitre link : CVE-2024-23679
CVE.ORG link : CVE-2024-23679
JSON object : View
Products Affected
enonic
- xp
CWE
CWE-384
Session Fixation