CVE-2024-4447

Name of the Vulnerable Software and Affected Versions Software versions prior to 24.07.12 Software versions 23.01.20 LTS through 23.01.19 LTS Software versions 23.10.24v13 LTS and earlier Software versions 24.04.24v5 LTS and earlier

Description The issue arises in the System → Maintenance tool, where the Logged Users tab exposes sessionId data for all users via the Direct Web Remoting API (UserSessionAjax.getSessionList.dwr) calls. This information, while intended for admins with "Sign In As" powers, can be utilized by admins lacking this privilege to imitate other users. The attack vector is small and requires high permissions, but its danger lies in obfuscating attribution, allowing malicious administrators to render their actions untraceable, such as by using a session ID to generate an API token.

Recommendations For versions prior to 24.07.12, update to version 24.07.12 or later. For versions 23.01.20 LTS through 23.01.19 LTS, update to version 23.01.20 LTS or later. For versions 23.10.24v13 LTS and earlier, update to version 23.10.24v13 LTS or later. For versions 24.04.24v5 LTS and earlier, update to version 24.04.24v5 LTS or later. As a temporary workaround, consider restricting access to the UserSessionAjax.getSessionList.dwr API endpoint to minimize the risk of exploitation.