Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionNVD
Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a stored cross-site scripting vulnerability in the course search functionality that allows authenticated Banner ERP users to inject malicious payloads into faculty and course fields by exploiting missing HTML encoding during DOM insertion. Attackers can store malicious JavaScript in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle through the unauthenticated getFacultyMeetingTimes API endpoint, causing arbitrary script execution.
AnalysisAI
Stored cross-site scripting in Ellucian Banner Self-Service before the April T2 2025 release (2025-04-23) allows low-privileged authenticated Banner ERP users to persist malicious JavaScript in faculty and course data fields via missing HTML encoding at the DOM insertion point. Payloads planted in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle are subsequently served through the unauthenticated getFacultyMeetingTimes API and execute in any victim's browser that renders course search results. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Technical ContextAI
Ellucian Banner Self-Service (CPE: cpe:2.3:a:ellucian:banner_self-service:*:*:*:*:*:*:*:*) is a higher-education ERP web application widely deployed at colleges and universities for student and faculty self-service tasks, including course discovery. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting), specifically a stored/persistent variant. The getFacultyMeetingTimes API endpoint, which requires no authentication to query, exposes faculty and course fields without applying HTML entity encoding before those values are inserted into the DOM during course search rendering. Because attacker-controlled strings reach the document object model as raw HTML rather than escaped text, any script tags or event-handler payloads they contain execute in the context of the victim's browser session, enabling the scope change noted in the CVSS vector (S:C).
RemediationAI
The primary remediation is to upgrade Ellucian Banner Self-Service to the April T2 release (2025-04-23) or any subsequent release, which addresses the missing HTML encoding during DOM insertion in the course search interface. Institutions should apply this update through their standard Ellucian patching process and consult the VulnCheck advisory at https://www.vulncheck.com/advisories/ellucian-banner-self-service-stored-xss-via-getfacultymeetingtimes-api for technical context. If immediate patching is not feasible, a compensating control is to audit and restrict Banner ERP role permissions so that only operationally necessary accounts retain write access to the affected fields (faculty displayName, emailAddress, subjectDescription, courseTitle), reducing the number of accounts capable of planting payloads; however, this does not remediate the encoding defect and may disrupt legitimate faculty and administrative workflows. Deploying a WAF with XSS filtering rules targeted at the getFacultyMeetingTimes API endpoint and the course search UI can provide an additional detection and blocking layer, though WAF-based XSS filtering is bypassable and should not be treated as a substitute for patching.
More in Banner Self Service
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35796
GHSA-pgpc-33v2-x2qg