CVE-2024-23679

Name of the Vulnerable Software and Affected Versions Enonic XP versions less than 7.7.4

Description The issue is a session fixation problem that allows a remote and unauthenticated attacker to use prior sessions due to the lack of invalidating session attributes. This affects all id-providers using the lib-auth login method.

Recommendations For Enonic XP versions less than 7.7.4, consider updating to version 7.7.4 or later to resolve the issue. As a temporary workaround, avoid using lib-auth for login, and instead use the Java API, which allows for invalidating previous sessions before auth-info is added.