How severe is CVE-2020-8434?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2020-8434?

This is classified as CWE-384, which is a common weakness in software security.

CVE-2020-8434

CRITICAL Year: 2020

CVSS v3 Score

9.8

Critical

CVSS v2 Score

5.0

Medium

Weakness Type

CWE-384

View all →

Vulnerability Description

Jenzabar JICS (aka Internet Campus Solution) before 9.0.1 Patch 3, 9.1 before 9.1.2 Patch 2, and 9.2 before 9.2.2 Patch 8 has session cookies that are a deterministic function of the username. There is a hard-coded password to supply a PBKDF feeding into AES to encrypt a username and base64 encode it to a client-side cookie for persistent session authentication. By knowing the key and algorithm, an attacker can select any username, encrypt it, base64 encode it, and save it in their browser with the correct JICSLoginCookie cookie format to impersonate any real user in the JICS database without the need for authenticating (or verifying with MFA if implemented).

CVE-2015-1174

CRITICAL

CVSS:9.8(Critical)

Session fixation vulnerability in Unit4 Polska TETA Web (formerly TETA Galactica) 22.62.3.4 and earlier allows remote attackers to hijack web sessions via a session id.

CWE-3842015

CVE-2015-1820

CRITICAL

CVSS:9.8(Critical)

REST client for Ruby (aka rest-client) before 1.8.0 allows remote attackers to conduct session fixation attacks or obtain sensitive cookie information by leveraging passage of cookies set in a respons...

CWE-3842015

CVE-2016-10405

CRITICAL

CVSS:9.8(Critical)

Session fixation vulnerability in D-Link DIR-600L routers (rev. Ax) with firmware before FW1.17.B01 allows remote attackers to hijack web sessions via unspecified vectors.

CWE-3842016

CVE-2016-9125

CRITICAL

CVSS:9.8(Critical)

Revive Adserver before 3.2.3 suffers from session fixation, by allowing arbitrary session identifiers to be forced and, at the same time, by not invalidating the existing session upon a successful aut...

CWE-3842016

CVE-2017-12868

CRITICAL

CVSS:9.8(Critical)

The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass...

CWE-3842017

CVE-2017-12873

CRITICAL

CVSS:9.8(Critical)

SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generat...

CWE-3842017

CVE-2020-8434

Vulnerability Description

Related Vulnerabilities

CVE-2015-1174

CVE-2015-1820

CVE-2016-10405

CVE-2016-9125

CVE-2017-12868

CVE-2017-12873