CVE-2024-23679 - Vulnerability Details - OpenCVE

Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Enonic	Xp

Configuration 1 [-]

OR	cpe:2.3:a:enonic:xp::::::::
	cpe:2.3:a:enonic:xp:7.8.0:beta1::::::
	cpe:2.3:a:enonic:xp:7.8.0:beta2::::::
	cpe:2.3:a:enonic:xp:7.8.0:beta3::::::
	cpe:2.3:a:enonic:xp:7.8.0:rc1::::::
	cpe:2.3:a:enonic:xp:7.8.0:rc2::::::
	cpe:2.3:a:enonic:xp:7.8.0:rc3::::::

No data.

References

Link	Providers
https://github.com/advisories/GHSA-4m5p-5w5w-3jcf
https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff
https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4
https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842
https://github.com/enonic/xp/issues/9253
https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf
https://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf

History

Sat, 29 Nov 2025 02:00:00 +0000

Type	Values Removed	Values Added
Description	Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.	Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.

Fri, 30 May 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2024-01-19T20:23:03.781Z

Updated: 2025-11-29T01:24:39.747Z

Reserved: 2024-01-19T17:35:09.984Z

Link: CVE-2024-23679

Vulnrichment

Updated: 2024-08-01T23:06:25.362Z

NVD

Status : Modified

Published: 2024-01-19T21:15:10.073

Modified: 2025-11-29T02:15:51.267

Link: CVE-2024-23679

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-23679", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2024-01-19T17:35:09.984Z", "datePublished": "2024-01-19T20:23:03.781Z", "dateUpdated": "2025-11-29T01:24:39.747Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "com.enonic.xp:lib-auth", "versions": [{"lessThan": "7.7.4", "status": "affected", "version": "0", "versionType": "maven"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:enonic:xp:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.7.4", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.</p>"}], "value": "Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-384", "description": "CWE-384 Session Fixation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2025-11-29T01:24:39.747Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf"}, {"tags": ["issue-tracking"], "url": "https://github.com/enonic/xp/issues/9253"}, {"tags": ["related"], "url": "https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff"}, {"tags": ["related"], "url": "https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4"}, {"tags": ["related"], "url": "https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842"}, {"tags": ["third-party-advisory"], "url": "https://github.com/advisories/GHSA-4m5p-5w5w-3jcf"}, {"tags": ["third-party-advisory"], "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf"}], "source": {"discovery": "INTERNAL"}, "title": "Enonic XP Session Fixation Vulnerability", "x_generator": {"engine": "vulncheck"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:06:25.362Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf"}, {"tags": ["issue-tracking", "x_transferred"], "url": "https://github.com/enonic/xp/issues/9253"}, {"tags": ["related", "x_transferred"], "url": "https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff"}, {"tags": ["related", "x_transferred"], "url": "https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4"}, {"tags": ["related", "x_transferred"], "url": "https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842"}, {"tags": ["third-party-advisory", "x_transferred"], "url": "https://github.com/advisories/GHSA-4m5p-5w5w-3jcf"}, {"tags": ["third-party-advisory", "x_transferred"], "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf"}]}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-05-09T23:34:29.069781Z", "id": "CVE-2024-23679", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-30T14:25:16.986Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://github.com/enonic/xp/issues/9253", "tags": ["issue-tracking", "x_transferred"]}, {"url": "https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff", "tags": ["related", "x_transferred"]}, {"url": "https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4", "tags": ["related", "x_transferred"]}, {"url": "https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842", "tags": ["related", "x_transferred"]}, {"url": "https://github.com/advisories/GHSA-4m5p-5w5w-3jcf", "tags": ["third-party-advisory", "x_transferred"]}, {"url": "https://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf", "tags": ["third-party-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:06:25.362Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-23679", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-09T23:34:29.069781Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-09T23:34:30.691Z"}}], "cna": {"title": "Enonic XP Session Fixation Vulnerability", "source": {"discovery": "INTERNAL"}, "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "7.7.4", "versionType": "maven"}], "packageName": "com.enonic.xp:lib-auth", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf", "tags": ["vendor-advisory"]}, {"url": "https://github.com/enonic/xp/issues/9253", "tags": ["issue-tracking"]}, {"url": "https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff", "tags": ["related"]}, {"url": "https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4", "tags": ["related"]}, {"url": "https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842", "tags": ["related"]}, {"url": "https://github.com/advisories/GHSA-4m5p-5w5w-3jcf", "tags": ["third-party-advisory"]}, {"url": "https://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.", "supportingMedia": [{"type": "text/html", "value": "<p>Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-384", "description": "CWE-384 Session Fixation"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:enonic:xp:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "7.7.4", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2025-11-29T01:24:39.747Z"}}}, "cveMetadata": {"cveId": "CVE-2024-23679", "state": "PUBLISHED", "dateUpdated": "2025-11-29T01:24:39.747Z", "dateReserved": "2024-01-19T17:35:09.984Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2024-01-19T20:23:03.781Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:enonic:xp:*:*:*:*:*:*:*:*", "matchCriteriaId": "3FC6521F-C0B8-4FE8-BE06-FAB57CFFE61A", "versionEndExcluding": "7.7.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:enonic:xp:7.8.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "0231ECC2-744B-4441-942B-514C943F7294", "vulnerable": true}, {"criteria": "cpe:2.3:a:enonic:xp:7.8.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "DD92F3AC-0C60-4588-B5DE-3488F7B38C18", "vulnerable": true}, {"criteria": "cpe:2.3:a:enonic:xp:7.8.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "7B807EF9-DADE-4C67-8AAF-E29C70D8D32F", "vulnerable": true}, {"criteria": "cpe:2.3:a:enonic:xp:7.8.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "0BB4FF1C-13D7-4385-A4EB-27750E88AE3B", "vulnerable": true}, {"criteria": "cpe:2.3:a:enonic:xp:7.8.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "890C984E-B1AD-4213-B355-DB26E6B1BE8D", "vulnerable": true}, {"criteria": "cpe:2.3:a:enonic:xp:7.8.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "E156CC35-DC76-463E-8882-86C36814976E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes."}, {"lang": "es", "value": "Las versiones de Enonic XP inferiores a 7.7.4 son vulnerables a un problema de reparaci\u00f3n de sesi\u00f3n. Un atacante remoto y no autenticado puede utilizar sesiones anteriores debido a la falta de atributos de sesi\u00f3n invalidantes."}], "id": "CVE-2024-23679", "lastModified": "2025-11-29T02:15:51.267", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-01-19T21:15:10.073", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://github.com/advisories/GHSA-4m5p-5w5w-3jcf"}, {"source": "disclosure@vulncheck.com", "tags": ["Patch"], "url": "https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff"}, {"source": "disclosure@vulncheck.com", "tags": ["Patch"], "url": "https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4"}, {"source": "disclosure@vulncheck.com", "tags": ["Patch"], "url": "https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842"}, {"source": "disclosure@vulncheck.com", "tags": ["Issue Tracking"], "url": "https://github.com/enonic/xp/issues/9253"}, {"source": "disclosure@vulncheck.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/advisories/GHSA-4m5p-5w5w-3jcf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://github.com/enonic/xp/issues/9253"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-384"}], "source": "nvd@nist.gov", "type": "Primary"}]}