Lucene search

GoogleOSV:CVE-2024-23679

HistoryJan 19, 2024 - 9:15 p.m.

CVE-2024-23679

2024-01-1921:15:10

Google

osv.dev

enonic xp

session fixation

vulnerability

remote attacker

unauthenticated

prior sessions

invalidating attributes

software

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

46.5%

JSON

Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.

CPENameOperatorVersion
xpeq6.14.0-B1
xpeq7.7.3-RC2
xpeq6.3.0-RC2
xpeq6.8.0-B2
xpeq6.11.0-RC2
xpeq7.7.0-B1
xpeq6.12.0
xpeq5.0.0
xpeq7.0.0-B1
xpeq6.5.0

Name	Operator	Version
xp	eq	6.14.0-B1
xp	eq	7.7.3-RC2
xp	eq	6.3.0-RC2
xp	eq	6.8.0-B2
xp	eq	6.11.0-RC2
xp	eq	7.7.0-B1
xp	eq	6.12.0
xp	eq	5.0.0
xp	eq	7.0.0-B1
xp	eq	6.5.0

Rows per page:

1-10 of 1501

References

github.com/advisories/GHSA-4m5p-5w5w-3jcf

github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff

github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4

github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842

github.com/enonic/xp/issues/9253

github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf

vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

46.5%

JSON

Related for OSV:CVE-2024-23679