Enonic XP v7.7.4 and v6.15.13 have been released

Hi all!

Today, we have released new bugfix versions of both XP 7 and XP 6. The reason they come together, is that we found a security vulnerability that affects login when authenticating using the lib-auth library, which is present in both versions.

Basically, the session ID is not replaced when authenticating using lib-auth. All the ID providers on Market use this, but not the Standard ID Provider that is bundled with Enonic XP. Also many of you will have used lib-auth for your own projects. So, if you have public facing login forms to admin or services on your site, which are using any of the ID Providers from market or your own code using lib-auth, we strongly recommend you upgrade Enonic XP and the ID provider, and rebuild your code with version 7.7.4 or 6.15.13.

At the time of writing, there are no known exploits of this vulnerability.

Version 7.7.4 also contains a few other bugfixes. Complete changelogs are found here: Enonic XP v6.15.13 and here: Enonic XP v7.7.4

If you are a paying customer, feel free to contact us through support to get help.

2 Likes