{"id":"CVE-2024-23679","details":"Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.","aliases":["GHSA-4m5p-5w5w-3jcf"],"modified":"2026-04-12T08:03:59.641751Z","published":"2024-01-19T21:15:10.073Z","related":["GHSA-4m5p-5w5w-3jcf"],"references":[{"type":"ADVISORY","url":"https://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-4m5p-5w5w-3jcf"},{"type":"REPORT","url":"https://github.com/enonic/xp/issues/9253"},{"type":"FIX","url":"https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff"},{"type":"FIX","url":"https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4"},{"type":"FIX","url":"https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842"},{"type":"FIX","url":"https://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/enonic/xp","events":[{"introduced":"0"},{"fixed":"3638214d55b50fa4812343db9ef51121bf0fc002"},{"introduced":"0"},{"last_affected":"3ac04800230e9d69449c5cbe5a689372e2d5e26e"},{"introduced":"0"},{"last_affected":"44ee52aee30ccca088277c290c2ba293d9ae697b"},{"introduced":"0"},{"last_affected":"c1bbbfb2330fc121f000e725280c1d42152667fa"},{"fixed":"0189975691e9e6407a9fee87006f730e84f734ff"},{"fixed":"1f44674eb9ab3fbab7103e8d08067846e88bace4"},{"fixed":"2abac31cec8679074debc4f1fb69c25930e40842"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"7.7.4"},{"introduced":"0"},{"last_affected":"7.8.0-rc1"},{"introduced":"0"},{"last_affected":"7.8.0-rc2"},{"introduced":"0"},{"last_affected":"7.8.0-rc3"}]}}],"versions":["v5.0.0","v5.0.1","v6.0.0-M1","v6.0.0-RC1","v6.10.0","v6.10.0-B1","v6.10.0-RC2","v6.10.0-RC3","v6.12.0","v6.12.0-B1","v6.12.0-RC1","v6.12.0-RC2","v6.12.0-RC3","v6.13.0","v6.13.0-B1","v6.13.0-RC1","v6.13.0-RC2","v6.14.0","v6.14.0-B1","v6.14.0-B2","v6.14.0-RC1","v6.15.0","v6.15.0-B1","v6.15.0-B2","v6.15.0-RC1","v6.15.0-RC2","v6.15.0-RC3","v6.15.0-RC4","v6.2.0","v6.2.0-RC1","v6.2.0-RC2","v6.2.0-RC3","v6.2.0-RC4","v6.2.0-RC5","v6.3.0","v6.3.0-M1","v6.3.0-M2","v6.3.0-RC1","v6.3.0-RC2","v6.4.0-RC1","v6.5.0","v6.5.0-RC2","v6.5.0-RC3","v6.5.1","v6.7.0","v6.7.0-RC1","v6.7.0-RC2","v6.7.0-RC3","v6.7.0-RC4","v6.7.0-RC5","v6.7.0-RC6","v6.8.0","v6.8.0-B1","v6.8.0-B2","v6.8.0-RC1","v6.8.0-RC2","v6.9.0","v6.9.0-B1","v6.9.0-B2","v6.9.0-B3","v6.9.0-B4","v6.9.0-RC1","v6.9.0-RC2","v6.9.0-RC3","v7.0.0","v7.0.0-A1","v7.0.0-A2","v7.0.0-A3","v7.0.0-B1","v7.0.0-B3","v7.0.0-B4","v7.0.0-B5","v7.0.0-RC1","v7.0.0-RC2","v7.0.0-RC3","v7.0.0-RC4","v7.0.0-RC5","v7.1.0","v7.1.0-B1","v7.1.0-B2","v7.1.0-B3","v7.1.0-RC1","v7.2.0","v7.2.0-B1","v7.2.0-B2","v7.2.0-RC1","v7.7.0","v7.7.0-B1","v7.7.0-B2","v7.7.0-RC1","v7.7.0-RC2","v7.7.0-RC3","v7.7.1","v7.7.1-B1","v7.7.1-RC1","v7.7.2","v7.7.2-RC1","v7.7.3","v7.7.3-RC1","v7.7.3-RC2","v7.7.4-RC1","v7.8.0-B1","v7.8.0-B2","v7.8.0-B3","v7.8.0-RC1","v7.8.0-RC2","v7.8.0-RC3"],"database_specific":{"vanir_signatures":[{"digest":{"length":359,"function_hash":"320701068093152236562973525248353102326"},"id":"CVE-2024-23679-16dbcc38","target":{"function":"login","file":"modules/lib/lib-auth/src/main/java/com/enonic/xp/lib/auth/LoginHandler.java"},"deprecated":false,"source":"https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842","signature_type":"Function","signature_version":"v1"},{"digest":{"length":226,"function_hash":"44873371015901754275482741738342911926"},"id":"CVE-2024-23679-509a77a5","target":{"function":"createSession","file":"modules/lib/lib-auth/src/main/java/com/enonic/xp/lib/auth/LoginHandler.java"},"deprecated":false,"source":"https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff","signature_type":"Function","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["54959743937112941230999830328903867677","313165890899032934730689430397633096752","31899547168677898779246351725420786862","248702830159264181806828585102022946753","9431995442562588195795263489380193321","145350711789647672201279239879987910934","63730967883796243507928941132105570991","173958300226119899603228665429054767136","196047020783456606208130175791570351468","298094589868012725211392731364948670837","30641793071867692419542615296884929624","32802158123148844409265934004819420371","277830837772320240437529855955278665225","196678176823559988430475314223434718042","69974377604583194011747818744329152971","212587771786327968349087705728264021522","333464708450582936778354037982205122216","176252878289099175766752650828288448499","339419083816819476729925231865579512982","103875128849873858903081804343477579294","5483621250509443472271839721138751626","107354344559557095738465435813727618614","92823737710928691980809063749300670986","152075164857124093516898379539125654127","244409449860413553452072189374989855262","294301373880837194471138320357214138131","206664687545030175141828833853471448746","325398224914772093084810664563420328847","10185269525729587674379556979268156572","130718685488967906393126414776144282245","71215600194376313810027978943816237368","309382104449775143007810657935553220027","116295123062900264823294330576462789272","212000207393585743343602088523102722322","107471266692504767584070050640883552941","258530612960298379856589979889251244368","42257907176328908015485546793600121581","34879796815036921010341592030755810649"]},"id":"CVE-2024-23679-567309ae","target":{"file":"modules/lib/lib-auth/src/main/java/com/enonic/xp/lib/auth/LoginHandler.java"},"deprecated":false,"source":"https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff","signature_type":"Line","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["294684881583196912574484810988529751527","271238506241972126728824489104581650748","8955597096388665397973040394191474450","18578822231528242913019147505496145130","335547811595478130816989607482676504395","49109963237767484947961897640948718057","156177457841131982533914088712191658990"]},"id":"CVE-2024-23679-5d7fa389","target":{"file":"modules/lib/lib-auth/src/test/java/com/enonic/xp/lib/auth/LoginHandlerTest.java"},"deprecated":false,"source":"https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842","signature_type":"Line","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["54959743937112941230999830328903867677","313165890899032934730689430397633096752","31899547168677898779246351725420786862","248702830159264181806828585102022946753","9431995442562588195795263489380193321","145350711789647672201279239879987910934","63730967883796243507928941132105570991","173958300226119899603228665429054767136","196047020783456606208130175791570351468","298094589868012725211392731364948670837","30641793071867692419542615296884929624","32802158123148844409265934004819420371","277830837772320240437529855955278665225","196678176823559988430475314223434718042","69974377604583194011747818744329152971","212587771786327968349087705728264021522","333464708450582936778354037982205122216","176252878289099175766752650828288448499","339419083816819476729925231865579512982","103875128849873858903081804343477579294","5483621250509443472271839721138751626","107354344559557095738465435813727618614","92823737710928691980809063749300670986","152075164857124093516898379539125654127","244409449860413553452072189374989855262","294301373880837194471138320357214138131","206664687545030175141828833853471448746","325398224914772093084810664563420328847","10185269525729587674379556979268156572","130718685488967906393126414776144282245","71215600194376313810027978943816237368","309382104449775143007810657935553220027","116295123062900264823294330576462789272","212000207393585743343602088523102722322","107471266692504767584070050640883552941","258530612960298379856589979889251244368","42257907176328908015485546793600121581","34879796815036921010341592030755810649"]},"id":"CVE-2024-23679-5f81754b","target":{"file":"modules/lib/lib-auth/src/main/java/com/enonic/xp/lib/auth/LoginHandler.java"},"deprecated":false,"source":"https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4","signature_type":"Line","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["294684881583196912574484810988529751527","271238506241972126728824489104581650748","8955597096388665397973040394191474450","18578822231528242913019147505496145130","335547811595478130816989607482676504395","49109963237767484947961897640948718057","156177457841131982533914088712191658990"]},"id":"CVE-2024-23679-61e46d66","target":{"file":"modules/lib/lib-auth/src/test/java/com/enonic/xp/lib/auth/LoginHandlerTest.java"},"deprecated":false,"source":"https://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff","signature_type":"Line","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["54959743937112941230999830328903867677","313165890899032934730689430397633096752","31899547168677898779246351725420786862","248702830159264181806828585102022946753","9431995442562588195795263489380193321","145350711789647672201279239879987910934","141404889000342465616494762051127949719","260857615999690479860898785060840234846","86385293228356305673424591071818355126","47489729277462187478167604058048262332","30641793071867692419542615296884929624","108722169679603014635705550197138118285","212202794094691903605321933449874584912","255716667023837070565181685337202656843","16288474465493620543192688408609353679","32802158123148844409265934004819420371","277830837772320240437529855955278665225","196678176823559988430475314223434718042","69974377604583194011747818744329152971","212587771786327968349087705728264021522","333464708450582936778354037982205122216","176252878289099175766752650828288448499","339419083816819476729925231865579512982","103875128849873858903081804343477579294","5483621250509443472271839721138751626","107354344559557095738465435813727618614","92823737710928691980809063749300670986","152075164857124093516898379539125654127","244409449860413553452072189374989855262","294301373880837194471138320357214138131","206664687545030175141828833853471448746","325398224914772093084810664563420328847","10185269525729587674379556979268156572","130718685488967906393126414776144282245","71215600194376313810027978943816237368","309382104449775143007810657935553220027","116295123062900264823294330576462789272","212000207393585743343602088523102722322","107471266692504767584070050640883552941","258530612960298379856589979889251244368","42257907176328908015485546793600121581","34879796815036921010341592030755810649"]},"id":"CVE-2024-23679-7bff435b","target":{"file":"modules/lib/lib-auth/src/main/java/com/enonic/xp/lib/auth/LoginHandler.java"},"deprecated":false,"source":"https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842","signature_type":"Line","signature_version":"v1"},{"digest":{"length":226,"function_hash":"44873371015901754275482741738342911926"},"id":"CVE-2024-23679-bec6dcaa","target":{"function":"createSession","file":"modules/lib/lib-auth/src/main/java/com/enonic/xp/lib/auth/LoginHandler.java"},"deprecated":false,"source":"https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4","signature_type":"Function","signature_version":"v1"},{"digest":{"length":226,"function_hash":"44873371015901754275482741738342911926"},"id":"CVE-2024-23679-bfe38363","target":{"function":"createSession","file":"modules/lib/lib-auth/src/main/java/com/enonic/xp/lib/auth/LoginHandler.java"},"deprecated":false,"source":"https://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842","signature_type":"Function","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["294684881583196912574484810988529751527","271238506241972126728824489104581650748","8955597096388665397973040394191474450","18578822231528242913019147505496145130","335547811595478130816989607482676504395","49109963237767484947961897640948718057","156177457841131982533914088712191658990"]},"id":"CVE-2024-23679-cec4485b","target":{"file":"modules/lib/lib-auth/src/test/java/com/enonic/xp/lib/auth/LoginHandlerTest.java"},"deprecated":false,"source":"https://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4","signature_type":"Line","signature_version":"v1"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"7.8.0-beta1"}]},{"events":[{"introduced":"0"},{"last_affected":"7.8.0-beta2"}]},{"events":[{"introduced":"0"},{"last_affected":"7.8.0-beta3"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-23679.json","vanir_signatures_modified":"2026-04-12T08:03:59Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}