Improper Authentication Vulnerability in Ellucian Banner Web Tailor and Identity Services
CVE-2019-8978

8.1HIGH

Key Information:

Vendor

Ellucian

Status
Banner Web Tailor
Banner Enterprise Identity Services
Vendor
CVE Published:
14 May 2019

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2019-8978?

An improper authentication vulnerability present in Ellucian Banner Web Tailor and Banner Enterprise Identity Services can be exploited via a race condition. Attackers can remotely compromise a victim's session and potentially cause a denial of service. By repeatedly accessing the initial login page with a crafted IDMSESSID cookie aligned with the victim's institutional ID, attackers can leverage the race condition to receive the session ID intended for the victim, thereby gaining unauthorized access.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2019-8978
Created by SecKatie

References

http://seclists.org/fulldisclosure/2019/May/18
mailing-listx_refsource_FULLDISC
http://packetstormsecurity.com/files/152856/Ellucian-Bann...
x_refsource_MISC
https://seclists.org/bugtraq/2019/May/31
mailing-listx_refsource_BUGTRAQ

EPSS Score

8% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability Reserved

.