Description
Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting unsanitized input through the toDateFormat request parameter in the dateConverter endpoint. Attackers can craft a malicious URL targeting the unauthenticated dateConverter endpoint to steal session cookies or perform other malicious actions in the context of the victim's browser session.
Published: 2026-06-09
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw located in the dateConverter endpoint of Ellucian Banner Self‑Service. An attacker can craft a URL that embeds JavaScript through the toDateFormat query string. Because the input is not sanitized, the script is reflected back to the victim’s browser, allowing the attacker to steal session cookies or perform other malicious actions. This weakness is classified as CWE‑79.

Affected Systems

Ellucian Banner Self‑Service is affected. Any version prior to the April T2 release (23 April 2025) is vulnerable.

Risk and Exploitability

The CVSS score of 5.1 indicates medium severity. The flaw is exploitable by unauthenticated users via a crafted URL targeting the dateConverter endpoint, without needing privileged access. Attackers can inject malicious scripts into the victim’s browser, potentially enabling session hijacking or other browser‑based attacks. No EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog, but the lack of known exploitation does not reduce the need for timely mitigation.

Generated by OpenCVE AI on June 9, 2026 at 21:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the April T2 release (23 April 2025) or a later version of Ellucian Banner Self‑Service
  • Block or rate‑limit unauthenticated access to the dateConverter endpoint until the patch is applied
  • Deploy a web application firewall rule to correctly encode or filter characters in the toDateFormat parameter, ensuring that injected scripts are neutralized

Generated by OpenCVE AI on June 9, 2026 at 21:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Ellucian
Ellucian banner Self-service
Vendors & Products Ellucian
Ellucian banner Self-service

Tue, 09 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting unsanitized input through the toDateFormat request parameter in the dateConverter endpoint. Attackers can craft a malicious URL targeting the unauthenticated dateConverter endpoint to steal session cookies or perform other malicious actions in the context of the victim's browser session.
Title Ellucian Banner Self-Service Reflected XSS via dateConverter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Ellucian Banner Self-service
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-09T19:23:31.515Z

Reserved: 2026-03-16T18:11:41.759Z

Link: CVE-2026-32856

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T20:16:34.363

Modified: 2026-06-09T20:16:34.363

Link: CVE-2026-32856

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:22:14Z

Weaknesses