CVE-2024-11627
Published: 07 January 2025
Description
: Insufficient Session Expiration vulnerability in Progress Sitefinity allows : Session Fixation.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421.
Security Summary
CVE-2024-11627 is an Insufficient Session Expiration vulnerability in Progress Sitefinity that enables Session Fixation. The issue affects multiple version ranges of Sitefinity, specifically from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, and from 15.2.8400 through 15.2.8421. It is associated with CWE-613 and carries a CVSS v3.1 base score of 6.8.
The vulnerability can be exploited over the network (AV:N) by attackers requiring no privileges (PR:N), though it involves high attack complexity (AC:H) and user interaction (UI:R) with no change in scope (S:U). Successful exploitation results in high impacts to confidentiality (C:H) and integrity (I:H), but no availability impact (A:N), potentially allowing attackers to fixate a session ID and hijack authenticated user sessions after inducing login.
Progress has published a Sitefinity security advisory addressing related vulnerabilities at https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-11625-and-CVE-2024-11626-January-2025. Further details on Sitefinity CMS are available at https://www.progress.com/sitefinity-cms. Security practitioners should consult these resources for patch information and mitigation guidance.
Details
- CWE(s)