CVE-2020-8434

Name of the Vulnerable Software and Affected Versions Jenzabar JICS versions prior to 9.0.1 Patch 3 Jenzabar JICS versions 9.1 prior to 9.1.2 Patch 2 Jenzabar JICS versions 9.2 prior to 9.2.2 Patch 8

Description The issue allows an attacker to impersonate any real user in the JICS database without authenticating. This is possible because session cookies are a deterministic function of the username and a hard-coded password is used to encrypt the username. By knowing the key and algorithm, an attacker can select any username, encrypt it, and save it in their browser to impersonate the user.

Recommendations For versions prior to 9.0.1 Patch 3, update to 9.0.1 Patch 3 or later. For versions 9.1 prior to 9.1.2 Patch 2, update to 9.1.2 Patch 2 or later. For versions 9.2 prior to 9.2.2 Patch 8, update to 9.2.2 Patch 8 or later.