CVE-2019-8978

HIGH EXPLOITED

Ellucian Banner Enterprise Identity Services - Race Condition

Title source: rule
STIX 2.1

Exploitation Summary

CVE-2019-8978 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including SecKatie.

AI-analyzed exploit summary The repository contains a Python-based PoC exploit for CVE-2019-8978, an improper authentication vulnerability in Ellucian Banner Web Tailor and Banner Enterprise Identity Services. The exploit leverages a race condition to steal a victim's session by repeatedly requesting the initial Banner Web Tailor main page with the IDMSESSID cookie set to the victim's UDCID.

Description

An improper authentication vulnerability can be exploited through a race condition that occurs in Ellucian Banner Web Tailor 8.8.3, 8.8.4, and 8.9 and Banner Enterprise Identity Services 8.3, 8.3.1, 8.3.2, and 8.4, in conjunction with SSO Manager. This vulnerability allows remote attackers to steal a victim's session (and cause a denial of service) by repeatedly requesting the initial Banner Web Tailor main page with the IDMSESSID cookie set to the victim's UDCID, which in the case tested is the institutional ID. During a login attempt by a victim, the attacker can leverage the race condition and will be issued the SESSID that was meant for this victim.

Exploits (2)

nomisec WORKING POC 9 stars
by SecKatie · poc
https://github.com/SecKatie/CVE-2019-8978

The repository contains a Python-based PoC exploit for CVE-2019-8978, an improper authentication vulnerability in Ellucian Banner Web Tailor and Banner Enterprise Identity Services. The exploit leverages a race condition to steal a victim's session by repeatedly requesting the initial Banner Web Tailor main page with the IDMSESSID cookie set to the victim's UDCID.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Racy
Target: Ellucian Banner Web Tailor (8.8.3, 8.8.4, 8.9) and Banner Enterprise Identity Services (8.3, 8.3.1, 8.3.2, 8.4)
No auth needed
Prerequisites: Victim's UDCID (institutional ID) · Access to the target host URL · Python 3 with selenium and requests_threads packages
devstral-2 · analyzed Feb 16, 2026 Full analysis →
inthewild WORKING POC
poc
https://github.com/joshuamulliken/cve-2019-8978

The repository contains a functional Python exploit for CVE-2019-8978, an improper authentication vulnerability in Ellucian Banner Web Tailor and Banner Enterprise Identity Services. The exploit leverages a race condition to steal a victim's session by repeatedly requesting the initial Banner Web Tailor main page with the IDMSESSID cookie set to the victim's UDCID.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Racy
Target: Ellucian Banner Web Tailor (8.8.3, 8.8.4, 8.9) and Banner Enterprise Identity Services (8.3, 8.3.1, 8.3.2, 8.4)
No auth needed
Prerequisites: target URL · victim's UDCID (institutional ID)
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (6)

Core 6
Core References
Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2019/May/18
Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/May/31
Permissions Required x_refsource_misc
https://ecommunities.ellucian.com/message/252749#252749
Permissions Required x_refsource_misc
https://ecommunities.ellucian.com/message/252810#252810

Scores

CVSS v3 8.1
EPSS 0.0827
EPSS Percentile 92.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2019-07-19
CWE
CWE-287 CWE-362
Status published
Products (7)
ellucian/banner_enterprise_identity_services 8.3
ellucian/banner_enterprise_identity_services 8.3.1
ellucian/banner_enterprise_identity_services 8.3.2
ellucian/banner_enterprise_identity_services 8.4
ellucian/banner_web_tailor 8.8.3
ellucian/banner_web_tailor 8.8.4
ellucian/banner_web_tailor 8.9
Published May 14, 2019
Tracked Since Feb 18, 2026