Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.
The application does not invalidate session attributes after user login, leading to a session fixation vulnerability (CWE-384). An attacker can use a previously existing session identifier that was not properly invalidated by the system. This makes it possible to hijack an authenticated user's session without knowing their login credentials.
An attacker can gain full access to an authenticated user's account, leading to violations of confidentiality, integrity, and availability of data processed in the Enonic XP system.
Enonic XP should be updated to version 7.7.4 or newer. Fixes have been introduced in commits available in the project's GitHub repository (0189975, 1f44674, 2abac31).
Enonic XP in versions lower than 7.7.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HEnonic Xp
APPEnonic7.8.0< 7.7.4