Cyber Resilience

CVE-2024-11627

Medium

Published: 07 January 2025

Published
07 January 2025
Modified
29 July 2025
KEV Added
Patch
CVSS Score v3.1 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0017 37.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11627 is a medium-severity Insufficient Session Expiration (CWE-613) vulnerability in Progress Sitefinity. Its CVSS base score is 6.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 37.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-11627 is an Insufficient Session Expiration vulnerability in Progress Sitefinity that enables Session Fixation. The issue affects multiple version ranges of Sitefinity, specifically from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, and from 15.2.8400 through 15.2.8421. It is associated with CWE-613 and carries a CVSS v3.1 base score of 6.8.

The vulnerability can be exploited over the network (AV:N) by attackers requiring no privileges (PR:N), though it involves high attack complexity (AC:H) and user interaction (UI:R) with no change in scope (S:U). Successful exploitation results in high impacts to confidentiality (C:H) and integrity (I:H), but no availability impact (A:N), potentially allowing attackers to fixate a session ID and hijack authenticated user sessions after inducing login.

Progress has published a Sitefinity security advisory addressing related vulnerabilities at https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-11625-and-CVE-2024-11626-January-2025. Further details on Sitefinity CMS are available at https://www.progress.com/sitefinity-cms. Security practitioners should consult these resources for patch information and mitigation guidance.

EU & UK References

Vulnerability details

: Insufficient Session Expiration vulnerability in Progress Sitefinity allows : Session Fixation.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
Why these techniques?

Session fixation directly enables browser session hijacking and use of stolen/fixed web session cookies to impersonate authenticated users.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-11626Same product: Progress Sitefinity
CVE-2026-7313Same product: Progress Sitefinity
CVE-2026-7198Same product: Progress Sitefinity
CVE-2026-7201Same product: Progress Sitefinity
CVE-2026-7195Same product: Progress Sitefinity
CVE-2026-7312Same product: Progress Sitefinity
CVE-2024-11625Same product: Progress Sitefinity
CVE-2026-3692Same vendor: Progress
CVE-2024-56135Same vendor: Progress
CVE-2026-34828Shared CWE-613

Affected Assets

progress
sitefinity
4.0 — 14.4.8143 · 15.0.8200 — 15.0.8230 · 15.1.8300 — 15.1.8328

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces automatic session termination after organization-defined conditions or inactivity periods, comprehensively addressing the insufficient session expiration that enables session fixation in Sitefinity.

prevent

Requires identification, reporting, patching, and verification of flaws like CVE-2024-11627, eliminating the root cause of insufficient session expiration and session fixation vulnerability.

AU-14 Session Audit partial match
detect

Provides audit capabilities for all system sessions to identify anomalous session behaviors indicative of fixation or hijacking in Sitefinity.

References