← volver
CVE-2026-32856

Ellucian Banner Self-Service Reflected XSS via dateConverter

CVSS 5.1 MEDIUMEPSS 0.2%CWE-79
Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting unsanitized input through the toDateFormat request parameter in the dateConverter endpoint. Attackers can craft a malicious URL targeting the unauthenticated dateConverter endpoint to steal session cookies or perform other malicious actions in the context of the victim's browser session.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Productos afectados
Ellucian · Banner Self-Service

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://www.ellucian.com/assets/en/brochure/brochure-learn-more-about-ellucian-banner-self-service.pdfhttps://www.ellucian.com/security-researcher-hall-of-famehttps://www.vulncheck.com/advisories/ellucian-banner-self-service-reflected-xss-via-dateconverter