Description
Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a stored cross-site scripting vulnerability in the course search functionality that allows authenticated Banner ERP users to inject malicious payloads into faculty and course fields by exploiting missing HTML encoding during DOM insertion. An attacker with Banner ERP write access can store malicious JavaScript in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle; these values are subsequently served unsanitized by the unauthenticated getFacultyMeetingTimes API endpoint, causing arbitrary script execution in the browser of any user who views the affected course's meeting times.
Published: 2026-06-09
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Ellucian Banner Self‑Service versions prior to the April T2 release (2025‑04‑23) have a stored cross‑site scripting flaw in the course search functionality that lets authenticated Banner ERP users inject malicious JavaScript into faculty and course fields. The flaw stems from missing HTML encoding during DOM insertion. An attacker with write access can store scripts in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle, and these values are later returned unsanitized by the unauthenticated getFacultyMeetingTimes API endpoint. When any user opens the affected course’s meeting times, the stored script runs in the victim’s browser, enabling arbitrary client‑side code execution.

Affected Systems

The vulnerability affects Ellucian Banner Self‑Service software. All releases before the April T2 update (2025‑04‑23) are vulnerable; later releases presumably contain the fix.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, and the EPSS score is <1%, indicating a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is through the publicly accessible getFacultyMeetingTimes API, but the injection payload must be submitted by an authenticated Banner ERP user. Once stored, the payload executes in the victim’s browser context, providing client‑side code execution.

Generated by OpenCVE AI on June 10, 2026 at 15:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the April T2 release (2025‑04‑23) or later to receive the vendor patch.
  • If immediate upgrade is impossible, sanitize or HTML‑encode all data returned by the getFacultyMeetingTimes API before it is inserted into the DOM.
  • Limit access to the getFacultyMeetingTimes API to trusted users only, and monitor for anomalous input patterns that may indicate exploitation attempts.

Generated by OpenCVE AI on June 10, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a stored cross-site scripting vulnerability in the course search functionality that allows authenticated Banner ERP users to inject malicious payloads into faculty and course fields by exploiting missing HTML encoding during DOM insertion. Attackers can store malicious JavaScript in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle through the unauthenticated getFacultyMeetingTimes API endpoint, causing arbitrary script execution. Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a stored cross-site scripting vulnerability in the course search functionality that allows authenticated Banner ERP users to inject malicious payloads into faculty and course fields by exploiting missing HTML encoding during DOM insertion. An attacker with Banner ERP write access can store malicious JavaScript in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle; these values are subsequently served unsanitized by the unauthenticated getFacultyMeetingTimes API endpoint, causing arbitrary script execution in the browser of any user who views the affected course's meeting times.

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Ellucian
Ellucian banner Self-service
Vendors & Products Ellucian
Ellucian banner Self-service

Tue, 09 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a stored cross-site scripting vulnerability in the course search functionality that allows authenticated Banner ERP users to inject malicious payloads into faculty and course fields by exploiting missing HTML encoding during DOM insertion. Attackers can store malicious JavaScript in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle through the unauthenticated getFacultyMeetingTimes API endpoint, causing arbitrary script execution.
Title Ellucian Banner Self-Service Stored XSS via getFacultyMeetingTimes API
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Ellucian Banner Self-service
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-10T13:42:34.323Z

Reserved: 2026-05-18T19:22:26.748Z

Link: CVE-2026-47106

cve-icon Vulnrichment

Updated: 2026-06-10T13:39:16.447Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T20:16:59.403

Modified: 2026-06-10T19:41:25.327

Link: CVE-2026-47106

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T15:15:07Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')