Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.8
CVSSv2

CVE-2019-8978

Published: 14/05/2019 Updated: 21/07/2021
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.1 | Impact Score: 5.9 | Exploitability Score: 2.2
VMScore: 605
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Subscribe to Banner Enterprise Identity Services

Vulnerability Summary

An improper authentication vulnerability can be exploited through a race condition that occurs in Ellucian Banner Web Tailor 8.8.3, 8.8.4, and 8.9 and Banner Enterprise Identity Services 8.3, 8.3.1, 8.3.2, and 8.4, in conjunction with SSO Manager. This vulnerability allows remote malicious users to steal a victim's session (and cause a denial of service) by repeatedly requesting the initial Banner Web Tailor main page with the IDMSESSID cookie set to the victim's UDCID, which in the case tested is the institutional ID. During a login attempt by a victim, the attacker can leverage the race condition and will be issued the SESSID that was meant for this victim.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

ellucian banner enterprise identity services 8.3

ellucian banner enterprise identity services 8.3.2

ellucian banner enterprise identity services 8.4

ellucian banner web tailor 8.8.3

ellucian banner web tailor 8.8.4

ellucian banner web tailor 8.9

ellucian banner enterprise identity services 8.3.1

Github Repositories

https://github.com/JoshuaMulliken/CVE-2019-8978

Banner Web Tailor and Banner Enterprise Identity Services Vulnerability Disclosure

[CVE-2019-8978] Improper Authentication (CWE-287) in Ellucian Banner Web Tailor and Banner Enterprise Identity Services Author: Joshua Mulliken joshua@mullikennet Thanks to: Carnegie Mellon University CERT Coordination Center Information Date Found: Dec 17, 2018 Vendor: Ellucian Company LP Vendor Homepage: wwwelluciancom Products: Banner Web Tailor and Banner Ent

References

CWE-287CWE-362https://seclists.org/bugtraq/2019/May/31https://raw.githubusercontent.com/JoshuaMulliken/CVE-2019-8978/master/README.txthttps://ecommunities.ellucian.com/message/252810#252810https://ecommunities.ellucian.com/message/252749#252749http://seclists.org/fulldisclosure/2019/May/18http://packetstormsecurity.com/files/152856/Ellucian-Banner-Web-Tailor-Banner-Enterprise-Identity-Services-Improper-Authentication.htmlhttps://nvd.nist.govhttps://github.com/JoshuaMulliken/CVE-2019-8978
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2022-48700CVE-2022-48689CVE-2024-27956CVE-2023-6363SQLNULL pointer dereferenceCVE-2023-41830CVE-2015-2051arbitrary
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook