External risk intelligence

Enonic XP Session Fixation Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2024-23679

Enonic XP is a web-based content management system and application platform. Such platforms are typically deployed as internet-facing web applications or API services, making the session management interface a common and intended point of interaction for users over the network.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability in Enonic XP allows unauthenticated attackers to potentially hijack user sessions. This issue stems from the platform's failure to properly invalidate session attributes, which could enable unauthorized access and control over user accounts. The main concern is confirming relevance and exposure to Enonic XP systems.

  • Sessions can be fixed by attackers.
  • Critical flaw impacts unauthenticated users.
  • Confirm if Enonic XP is in use.

Attack Path

How an attacker could exploit the issue

An attacker can target this vulnerability by sending requests to an unauthenticated instance of Enonic XP. The vulnerability lies in how the system handles prior sessions, as it does not properly invalidate session attributes. This could allow an attacker to hijack a user's session, potentially leading to unauthorized access and control over the application.

  • No authentication required.
  • Exploits prior session reuse.
  • Session hijacking risk.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated attacker could leverage a session fixation flaw in Enonic XP to hijack active user sessions when supported. This means an attacker might gain access to a user's account and its associated data or perform actions on their behalf.

  • User sessions and associated data.
  • Session attributes are not invalidated.
  • Unauthorized access to user accounts.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Enonic XP platform owner, likely an application or platform team, is responsible for addressing this session fixation vulnerability. The first step is to identify all instances of Enonic XP, determine their reachability and business criticality, and confirm the accountable owner. Remediation planning should then be prioritized based on this risk assessment.

  • Application or platform teams own the issue.
  • Verify instance reachability and business criticality.
  • Plan remediation based on assessed risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Enonic XP?

Enonic XP is an integrated platform that combines a content management system with a flexible application engine. Developers use it to build, host, and manage web applications and API services. Because it powers web interfaces, the platform relies heavily on secure session management to track user interactions and maintain authentication states during a browsing session.

What does session fixation mean for CVE-2024-23679?

This vulnerability is classified as CWE-384, or Session Fixation. It occurs when a software fails to assign a new, unique session identifier after a user logs in. In this case, Enonic XP does not properly invalidate old session attributes. If an attacker can force a specific session ID onto a victim, they can potentially use that same identifier to hijack the account after the victim authenticates, effectively gaining unauthorized access to the session.

How does an attacker trigger this vulnerability?

An attacker triggers this by interacting with the application before a user logs in, exploiting the system's failure to clear or replace session data. It does not require the attacker to have existing credentials or prior access to the system. Simply sending crafted network requests to an unauthenticated instance is sufficient to attempt to fix or reuse a session. Actions performed by an authenticated user, such as simple page navigation that does not involve a login event, do not inherently trigger this bug.

Do I need to worry if my instance is not on the internet?

Halo Surface Signal indicates that Enonic XP is often deployed as an internet-facing service, which places the session management interface directly in the path of potential network-based attackers. While internal-only instances face a lower risk of external targeting, they remain susceptible to malicious actors who have gained a foothold inside your network perimeter. Assessing whether your specific deployment is accessible over the network is a vital step in understanding your risk.

When should I take action to fix this?

You should begin by identifying all running instances of Enonic XP across your environment. Prioritize these systems based on their business criticality and network reachability. Once you have an inventory, coordinate with your application teams to plan an update. The primary goal is to move to a version that properly manages session attributes, ensuring that session identifiers are securely handled and invalidated as expected.

References