CVE-2024-11627

Medium

Published: 07 January 2025

Published

07 January 2025

Modified

29 July 2025

KEV Added

—

Patch

—

CVSS Score 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS Score 0.0012 31.0th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11627 is a medium-severity Insufficient Session Expiration (CWE-613) vulnerability in Progress Sitefinity. Its CVSS base score is 6.8 (Medium).

Operationally, ranked at the 31.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-12 Session Termination good match

prevent

Directly enforces automatic session termination after organization-defined conditions or inactivity periods, comprehensively addressing the insufficient session expiration that enables session fixation in Sitefinity.

SI-2 Flaw Remediation good match

prevent

Requires identification, reporting, patching, and verification of flaws like CVE-2024-11627, eliminating the root cause of insufficient session expiration and session fixation vulnerability.

AU-14 Session Audit partial match

detect

Provides audit capabilities for all system sessions to identify anomalous session behaviors indicative of fixation or hijacking in Sitefinity.

NVD Description

: Insufficient Session Expiration vulnerability in Progress Sitefinity allows : Session Fixation.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421.

Deeper analysisAI

CVE-2024-11627 is an Insufficient Session Expiration vulnerability in Progress Sitefinity that enables Session Fixation. The issue affects multiple version ranges of Sitefinity, specifically from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, and from 15.2.8400 through 15.2.8421. It is associated with CWE-613 and carries a CVSS v3.1 base score of 6.8.

The vulnerability can be exploited over the network (AV:N) by attackers requiring no privileges (PR:N), though it involves high attack complexity (AC:H) and user interaction (UI:R) with no change in scope (S:U). Successful exploitation results in high impacts to confidentiality (C:H) and integrity (I:H), but no availability impact (A:N), potentially allowing attackers to fixate a session ID and hijack authenticated user sessions after inducing login.

Progress has published a Sitefinity security advisory addressing related vulnerabilities at https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-11625-and-CVE-2024-11626-January-2025. Further details on Sitefinity CMS are available at https://www.progress.com/sitefinity-cms. Security practitioners should consult these resources for patch information and mitigation guidance.

Details

CWE(s): CWE-613

Affected Products

progress

sitefinity

4.0 — 14.4.8143 · 15.0.8200 — 15.0.8230 · 15.1.8300 — 15.1.8328

CVEs Like This One

CVE-2024-11625Same product: Progress Sitefinity

CVE-2024-11626Same product: Progress Sitefinity

CVE-2024-56133Same vendor: Progress

CVE-2026-4670Same vendor: Progress

CVE-2025-11235Same vendor: Progress

CVE-2025-13444Same vendor: Progress

CVE-2026-3518Same vendor: Progress

CVE-2024-56134Same vendor: Progress

CVE-2024-11628Same vendor: Progress

CVE-2026-3517Same vendor: Progress

References

https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-11625-and-CVE-2024-11626-January-2025
Not Applicable · security@progress.com
https://www.progress.com/sitefinity-cms
Product · security@progress.com