Advisories for Maven/Com.enonic.xp/Lib-Auth package

Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.

Impact All id-providers using lib-auth login method. lib-auth should invalidate old session after login and replicate session attributes in a new one, however this is not the behavior in affected versions. Workarounds Don't use lib-auth for login. Java API uses low-level structures and allows to invalidate previous session before auth-info is added. References https://github.com/enonic/xp/issues/9253