CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-23679

CVSS 9.8v3.1pub. 2024-01-19upd. 2025-11-29

Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.

🤖 AI Analysis
How it works

The application does not invalidate session attributes after user login, leading to a session fixation vulnerability (CWE-384). An attacker can use a previously existing session identifier that was not properly invalidated by the system. This makes it possible to hijack an authenticated user's session without knowing their login credentials.

Impact

An attacker can gain full access to an authenticated user's account, leading to violations of confidentiality, integrity, and availability of data processed in the Enonic XP system.

Mitigation & patch

Enonic XP should be updated to version 7.7.4 or newer. Fixes have been introduced in commits available in the project's GitHub repository (0189975, 1f44674, 2abac31).

Who is affected

Enonic XP in versions lower than 7.7.4

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Enonic Xp

    APP
    Enonic
    7.8.0< 7.7.4
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Auth Bypass
CWE
References