What is CVE-2020-8434?

CVE-2020-8434 is a vulnerability in Jenzabar JICS (Internet Campus Solution) before version 9.0.1 Patch 3, 9.1 before version 9.1.2 Patch 2, and 9.2 before version 9.2.2 Patch 8 that allows for authentication bypass and login with any account.

What is the severity of CVE-2020-8434?

CVE-2020-8434 has a severity rating of 9.8 (Critical).

How does CVE-2020-8434 affect Jenzabar JICS?

CVE-2020-8434 affects Jenzabar JICS versions before 9.0.1 Patch 3, 9.1 before 9.1.2 Patch 2, and 9.2 before 9.2.2 Patch 8 by allowing authentication bypass and login with any account.

Is there a fix for CVE-2020-8434?

Yes, users should upgrade to Jenzabar JICS version 9.0.1 Patch 3, 9.1 version 9.1.2 Patch 2, or 9.2 version 9.2.2 Patch 8 to fix CVE-2020-8434.

Where can I find more information about CVE-2020-8434?

More information about CVE-2020-8434 can be found at the following reference: [link](https://medium.com/@mdavis332/higher-ed-erp-portal-vulnerability-auth-bypass-to-login-any-account-f1aeef438f80)

Vulnerability/
CVE-2020-8434

critical

9.8

CWE

384

19/5/2020

4/8/2024

CVE-2020-8434

First published: Tue May 19 2020(Updated: )

Jenzabar JICS (aka Internet Campus Solution) before 9.0.1 Patch 3, 9.1 before 9.1.2 Patch 2, and 9.2 before 9.2.2 Patch 8 has session cookies that are a deterministic function of the username. There is a hard-coded password to supply a PBKDF feeding into AES to encrypt a username and base64 encode it to a client-side cookie for persistent session authentication. By knowing the key and algorithm, an attacker can select any username, encrypt it, base64 encode it, and save it in their browser with the correct JICSLoginCookie cookie format to impersonate any real user in the JICS database without the need for authenticating (or verifying with MFA if implemented).

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
Jenzabar Internet Campus Solution	<=9.0.1
Jenzabar Internet Campus Solution	>=9.1.0<=9.1.2
Jenzabar Internet Campus Solution	>=9.2.0<=9.2.2

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2020-8434?
CVE-2020-8434 is a vulnerability in Jenzabar JICS (Internet Campus Solution) before version 9.0.1 Patch 3, 9.1 before version 9.1.2 Patch 2, and 9.2 before version 9.2.2 Patch 8 that allows for authentication bypass and login with any account.
What is the severity of CVE-2020-8434?
CVE-2020-8434 has a severity rating of 9.8 (Critical).
How does CVE-2020-8434 affect Jenzabar JICS?
CVE-2020-8434 affects Jenzabar JICS versions before 9.0.1 Patch 3, 9.1 before 9.1.2 Patch 2, and 9.2 before 9.2.2 Patch 8 by allowing authentication bypass and login with any account.
Is there a fix for CVE-2020-8434?
Yes, users should upgrade to Jenzabar JICS version 9.0.1 Patch 3, 9.1 version 9.1.2 Patch 2, or 9.2 version 9.2.2 Patch 8 to fix CVE-2020-8434.
Where can I find more information about CVE-2020-8434?
More information about CVE-2020-8434 can be found at the following reference: [link](https://medium.com/@mdavis332/higher-ed-erp-portal-vulnerability-auth-bypass-to-login-any-account-f1aeef438f80)

collector/nvd-index
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/weakness
agent/author
agent/last-modified-date
agent/references
agent/severity
agent/tags
agent/description
agent/first-publish-date
agent/event
agent/source
vendor/jenzabar
canonical/jenzabar internet campus solution
version/jenzabar internet campus solution/9.0.1
version/jenzabar internet campus solution/9.1.0
version/jenzabar internet campus solution/9.1.2
version/jenzabar internet campus solution/9.2.0
version/jenzabar internet campus solution/9.2.2

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.