CVE-2024-23679 is a session fixation vulnerability categorized under CWE-384 that affects Enonic XP versions earlier than 7.7.4. Session fixation occurs when an attacker can set or reuse a valid session identifier (session ID) before the user logs in, and the application fails to invalidate or regenerate the session ID upon authentication. In this case, Enonic XP does not properly invalidate session attributes after login, allowing an unauthenticated remote attacker to leverage prior session IDs to hijack authenticated sessions. This vulnerability requires no privileges and no user interaction, making it highly exploitable remotely over the network. The CVSS 3.1 base score of 9.8 reflects the critical impact on confidentiality, integrity, and availability, as an attacker can fully impersonate legitimate users, potentially accessing sensitive data, performing unauthorized actions, or disrupting services. Although no public exploits have been reported yet, the vulnerability's nature and severity make it a prime target for attackers. Enonic XP is a web content management system used by various organizations, including government agencies and enterprises, which increases the potential impact of this flaw. The lack of session invalidation is a fundamental security oversight in session management, and remediation requires upgrading to the fixed version 7.7.4 or later where proper session handling is implemented.

For European organizations, this vulnerability poses a significant risk of session hijacking, leading to unauthorized access to sensitive information, manipulation of web content, and disruption of services hosted on Enonic XP platforms. Public sector entities, media companies, and enterprises using Enonic XP could face data breaches, loss of user trust, and regulatory penalties under GDPR if personal data is compromised. The critical severity means attackers can remotely exploit the flaw without authentication or user interaction, increasing the likelihood of widespread attacks. This could result in operational downtime, reputational damage, and financial losses. Given the reliance on Enonic XP in several European countries for digital services, the impact could be substantial, especially if attackers target high-value accounts or administrative users. Additionally, session fixation attacks can be used as a stepping stone for further attacks within the network, amplifying the threat.

1. Immediately upgrade all Enonic XP instances to version 7.7.4 or later, where the session fixation vulnerability is patched. 2. Implement strict session management policies, including regenerating session IDs upon authentication and invalidating old sessions to prevent reuse. 3. Conduct thorough audits of session handling code and configurations to ensure no other session fixation or session management weaknesses exist. 4. Monitor web server and application logs for unusual session reuse patterns or multiple logins from the same session ID. 5. Employ web application firewalls (WAFs) with rules to detect and block suspicious session fixation attempts. 6. Educate developers and administrators on secure session management best practices to prevent similar issues in the future. 7. Consider implementing multi-factor authentication (MFA) to reduce the impact of session hijacking. 8. Regularly review and update security policies related to session handling and user authentication.