CVE-2024-23679
Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions
CVSS
9.8
Crítico
EPSS
0.8%
p54
KEV
—
Exploit Today
16
0-100
Publicado: 19 ene 2024 · Última mod.: 14 jul 2026 · CWE-384
0.8%EPSS · 30 días0.8%
2026-06-302026-07-16
Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.
- github.comhttps://github.com/advisories/GHSA-4m5p-5w5w-3jcf
- github.comhttps://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff
- github.comhttps://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4
- github.comhttps://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842
- github.comhttps://github.com/enonic/xp/issues/9253
- github.comhttps://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf
- vulncheck.comhttps://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf
- github.comhttps://github.com/advisories/GHSA-4m5p-5w5w-3jcf
- github.comhttps://github.com/enonic/xp/commit/0189975691e9e6407a9fee87006f730e84f734ff
- github.comhttps://github.com/enonic/xp/commit/1f44674eb9ab3fbab7103e8d08067846e88bace4
- github.comhttps://github.com/enonic/xp/commit/2abac31cec8679074debc4f1fb69c25930e40842
- github.comhttps://github.com/enonic/xp/issues/9253
- github.comhttps://github.com/enonic/xp/security/advisories/GHSA-4m5p-5w5w-3jcf
- vulncheck.comhttps://vulncheck.com/advisories/vc-advisory-GHSA-4m5p-5w5w-3jcf
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2022-273058.8 ALT53.9%
——16Gibbon v23 does not generate a new session ID cookie after a user authenticates, making the application vulnerable to session fixation.8dCVE-2023-300567.5 ALT49.9%
——15A session takeover vulnerability exists in FICO Origination Manager Decision Module 4.8.1 due to insufficient protection of the JSESSIONID cookie.8dCVE-2025-459499.8 CRÍ34.5%
——10A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /loginsystem/change-password.php file of the user panel - Change Password component. Improper handling of session data allows a Session Hijacking attack, exploitable remotely and leading to account takeover.12dCVE-2026-337579.6 CRÍ33.3%
——10OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the `direct` mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued. Version 2.5.2 includes an additional confirmation screen for `direct` type logins that requires manual user interaction in order to finish the authentication. This issue can be worked around either by removing any roles with `callback_mode=direct` or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao.2dCVE-2025-459539.1 CRÍ28.2%
——8A vulnerability was found in PHPGurukul Hostel Management System 2.1 in the /hostel/change-password.php file of the user panel - Change Password component. Improper handling of session data allows a Session Hijacking attack, exploitable remotely12dCVE-2026-485456.8 MED27.3%
——8Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint. Attackers controlling any HF Space can return a parent-domain cookie that the shared client stores and automatically replays into all subsequent proxy requests to other legitimate Spaces, affecting all users of the same Gradio deployment.2d