GHSA-x7x7-w9rf-g664MediumCVSS 6.1
Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a reflected cross...
🔗 CVE IDs covered (1)
📋 Description
Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting unsanitized input through the toDateFormat request parameter in the dateConverter endpoint. Attackers can craft a malicious URL targeting the unauthenticated dateConverter endpoint to steal session cookies or perform other malicious actions in the context of the victim's browser session.
🔗 References (5)
- https://nvd.nist.gov/vuln/detail/CVE-2026-32856
- https://www.ellucian.com/assets/en/brochure/brochure-learn-more-about-ellucian-banner-self-service.pdf
- https://www.ellucian.com/security-researcher-hall-of-fame
- https://www.vulncheck.com/advisories/ellucian-banner-self-service-reflected-xss-via-dateconverter
- https://github.com/advisories/GHSA-x7x7-w9rf-g664