Joshua Mulliken

**Name of the Vulnerable Software and Affected Versions** Ellucian Banner Web Tailor versions 8.8.3 through 8.9 Ellucian Banner Enterprise Identity Services versions 8.3 through 8.4 **Description** The issue is related to an improper authentication vulnerability that can be exploited through a race condition. This vulnerability allows remote attackers to steal a victim's session and cause a denial of service by repeatedly requesting the initial main page with the `IDMSESSID` cookie set to the victim's `UDCID`. The attacker can leverage the race condition during a login attempt by the victim and will be issued the `SESSID` that was meant for the victim. **Recommendations** For Ellucian Banner Web Tailor versions 8.8.3 through 8.9, consider disabling the SSO Manager functionality until a patch is available. For Ellucian Banner Enterprise Identity Services versions 8.3 through 8.4, restrict access to the initial main page to minimize the risk of exploitation. As a temporary workaround, avoid using the `IDMSESSID` cookie in conjunction with the vulnerable versions of Ellucian Banner Web Tailor and Banner Enterprise Identity Services until the issue is resolved.