CVE-2019-8978

Name of the Vulnerable Software and Affected Versions Ellucian Banner Web Tailor versions 8.8.3 through 8.9 Ellucian Banner Enterprise Identity Services versions 8.3 through 8.4

Description The issue is related to an improper authentication vulnerability that can be exploited through a race condition. This vulnerability allows remote attackers to steal a victim's session and cause a denial of service by repeatedly requesting the initial main page with the IDMSESSID cookie set to the victim's UDCID. The attacker can leverage the race condition during a login attempt by the victim and will be issued the SESSID that was meant for the victim.

Recommendations For Ellucian Banner Web Tailor versions 8.8.3 through 8.9, consider disabling the SSO Manager functionality until a patch is available. For Ellucian Banner Enterprise Identity Services versions 8.3 through 8.4, restrict access to the initial main page to minimize the risk of exploitation. As a temporary workaround, avoid using the IDMSESSID cookie in conjunction with the vulnerable versions of Ellucian Banner Web Tailor and Banner Enterprise Identity Services until the issue is resolved.