MidnightBSD

Advisories for ellucian

CVE-2015-4687 MEDIUM

Cross-site scripting (XSS) vulnerability in Ellucian (formerly SunGard) Banner Student 8.5.1.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
ellucian banner_student 8.5.1.2
CVE-2015-4688 MEDIUM

Ellucian (formerly SunGard) Banner Student 8.5.1.2 through 8.7 allow remote attackers to enumerate user accounts via a series of requests.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
ellucian banner_student 8.6.3
ellucian banner_student 8.5.1.2
ellucian banner_student 8.7
ellucian banner_student 8.6.2
ellucian banner_student 8.6.6
ellucian banner_student 8.6.7
ellucian banner_student 8.6.4
ellucian banner_student 8.6.5
ellucian banner_student 8.6.1
CVE-2015-4689 MEDIUM

Ellucian (formerly SunGard) Banner Student 8.5.1.2 through 8.7 allows remote attackers to reset arbitrary passwords via unspecified vectors, aka "Weak Password Reset."

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-640,

Products Affected

Vendor Product Version
ellucian banner_student 8.6.3
ellucian banner_student 8.5.1.2
ellucian banner_student 8.7
ellucian banner_student 8.6.2
ellucian banner_student 8.6.6
ellucian banner_student 8.6.7
ellucian banner_student 8.6.4
ellucian banner_student 8.6.5
ellucian banner_student 8.6.1
CVE-2015-5054 MEDIUM

Open redirect vulnerability in Ellucian (formerly SunGard) Banner Student 8.5.1.2 through 8.7 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in an unspecified parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,

Products Affected

Vendor Product Version
ellucian banner_student 8.6.3
ellucian banner_student 8.5.1.2
ellucian banner_student 8.7
ellucian banner_student 8.6.2
ellucian banner_student 8.6.6
ellucian banner_student 8.6.7
ellucian banner_student 8.6.4
ellucian banner_student 8.6.5
ellucian banner_student 8.6.1
CVE-2019-8978 MEDIUM

An improper authentication vulnerability can be exploited through a race condition that occurs in Ellucian Banner Web Tailor 8.8.3, 8.8.4, and 8.9 and Banner Enterprise Identity Services 8.3, 8.3.1, 8.3.2, and 8.4, in conjunction with SSO Manager. This vulnerability allows remote attackers to steal a victim's session (and cause a denial of service) by repeatedly requesting the initial Banner Web Tailor main page with the IDMSESSID cookie set to the victim's UDCID, which in the case tested is the institutional ID. During a login attempt by a victim, the attacker can leverage the race condition and will be issued the SESSID that was meant for this victim.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,CWE-362,

Products Affected

Vendor Product Version
ellucian banner_enterprise_identity_services 8.3.2
ellucian banner_enterprise_identity_services 8.4
ellucian banner_enterprise_identity_services 8.3.1
ellucian banner_web_tailor 8.8.4
ellucian banner_enterprise_identity_services 8.3
ellucian banner_web_tailor 8.8.3
ellucian banner_web_tailor 8.9
CVE-2023-1632 MEDIUM

** DISPUTED ** A vulnerability has been found in Ellucian Banner Web Tailor 8.6 and classified as critical. This vulnerability affects unknown code of the file /PROD_ar/twbkwbis.P_FirstMenu of the component Login Page. The manipulation of the argument PIDM/WEBID leads to improper authorization. The attack can be initiated remotely. After submitting proper login credentials it becomes possible to generate new valid session identifiers on the OTP page. The real existence of this vulnerability is still doubted at the moment. VDB-224014 is the identifier assigned to this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-862,CWE-285,

Products Affected

Vendor Product Version
ellucian banner_web_tailor 8.6
CVE-2023-2822 MEDIUM

A vulnerability was found in Ellucian Ethos Identity up to 5.10.5. It has been classified as problematic. Affected is an unknown function of the file /cas/logout. The manipulation of the argument url leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 5.10.6 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-229596.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
ellucian ethos_identity *
CVE-2023-49339

Ellucian Banner 9.17 allows Insecure Direct Object Reference (IDOR) via a modified bannerId to the /StudentSelfService/ssb/studentCard/retrieveData endpoint.

Products Affected

Vendor Product Version
ellucian banner *