QwikSec

Security Database

CVE

CWE

Training

CVE-2019-8978

Published: May 14, 2019

Modified: Aug 4, 2024

PUBLISHED

Description

An improper authentication vulnerability can be exploited through a race condition that occurs in Ellucian Banner Web Tailor 8.8.3, 8.8.4, and 8.9 and Banner Enterprise Identity Services 8.3, 8.3.1, 8.3.2, and 8.4, in conjunction with SSO Manager. This vulnerability allows remote attackers to steal a victim's session (and cause a denial of service) by repeatedly requesting the initial Banner Web Tailor main page with the IDMSESSID cookie set to the victim's UDCID, which in the case tested is the institutional ID. During a login attempt by a victim, the attacker can leverage the race condition and will be issued the SESSID that was meant for this victim.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

20190513 [CVE-2019-8978] Improper Authentication (CWE-287) in Ellucian Banner Web Tailor and Banner Enterprise Identity Services

mailing-list

x_refsource_FULLDISC

http://packetstormsecurity.com/files/152856/Ellucian-Banner-Web-Tailor-Banner-Enterprise-Identity-Services-Improper-Authentication.html

x_refsource_MISC

20190514 [CVE-2019-8978] Improper Authentication (CWE-287) in Ellucian Banner Web Tailor and Banner Enterprise Identity Services

mailing-list

x_refsource_BUGTRAQ

https://raw.githubusercontent.com/JoshuaMulliken/CVE-2019-8978/master/README.txt

x_refsource_MISC

https://ecommunities.ellucian.com/message/252749#252749

x_refsource_MISC

https://ecommunities.ellucian.com/message/252810#252810

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.