CVE-2024-23679
Published: 19 January 2024
Summary
CVE-2024-23679 is a critical-severity Session Fixation (CWE-384) vulnerability in Enonic Xp. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0245
Vulnerability details
Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Session fixation vulnerability (CWE-384) in Enonic XP lib-auth enables remote unauthenticated attackers to hijack authenticated user sessions by reusing prior session IDs, mapping to exploitation of public-facing web applications (T1190), stealing web session cookies (T1539), using valid accounts (T1078), and using alternate authentication material via web session cookies (T1550.004).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Session termination after a set interval shortens the usable lifetime of a fixed session identifier, making successful exploitation of session fixation more difficult.
Re-authentication typically forces issuance of a new session, limiting the window for exploitation of a previously fixed session identifier.
Enforces proper session ID generation and binding, preventing fixation of a known session token.