AI description
Automated description summarized from trusted sources.
CVE-2026-32856 describes a reflected cross-site scripting (XSS) vulnerability found in Ellucian Banner Self-Service. This flaw allows unauthenticated attackers to execute arbitrary JavaScript within a victim's browser. The vulnerability arises from the injection of unsanitized input through the `toDateFormat` request parameter, which is processed by the `dateConverter` endpoint. By crafting a malicious URL, an attacker can exploit this vulnerability to perform actions such as stealing session cookies or carrying out other unauthorized activities within the context of the victim's browser session. The affected versions of Ellucian Banner Self-Service are those released before the April T2 release, dated April 23, 2025.
- Description
- Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting unsanitized input through the toDateFormat request parameter in the dateConverter endpoint. Attackers can craft a malicious URL targeting the unauthenticated dateConverter endpoint to steal session cookies or perform other malicious actions in the context of the victim's browser session.
- Source
- disclosure@vulncheck.com
- NVD status
- Deferred
CVSS 4.0
- Type
- Secondary
- Base score
- 5.1
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- MEDIUM
CVSS 3.1
- Type
- Primary
- Base score
- 6.1
- Impact score
- 2.7
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Severity
- MEDIUM
- disclosure@vulncheck.com
- CWE-79
- Hype score
- Not currently trending