MEDIUM 5.4

CVE-2026-47106: Ellucian Banner Stored XSS in Course Search—Remediation Guide

Ellucian Banner Self-Service contains a stored cross-site scripting (XSS) vulnerability in its course search feature. An authenticated user with write access to the Banner ERP system can inject malicious code into faculty names, email addresses, course descriptions, or course titles. When other users later view course meeting times through an unauthenticated API endpoint, that malicious code executes in their browsers without any sanitization, potentially compromising their sessions or stealing sensitive information. The vulnerability affects all versions released before April 23, 2025.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a stored cross-site scripting vulnerability in the course search functionality that allows authenticated Banner ERP users to inject malicious payloads into faculty and course fields by exploiting missing HTML encoding during DOM insertion. An attacker with Banner ERP write access can store malicious JavaScript in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle; these values are subsequently served unsanitized by the unauthenticated getFacultyMeetingTimes API endpoint, causing arbitrary script execution in the browser of any user who views the affected course's meeting times.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from missing HTML encoding during DOM insertion in Banner Self-Service's course search functionality. Specifically, the getFacultyMeetingTimes API endpoint serves faculty and course metadata (displayName, emailAddress, subjectDescription, courseTitle) that were stored without proper sanitization. An authenticated Banner ERP user with write permissions can craft malicious JavaScript payloads and persist them in these fields via the course search interface. Because the API endpoint is unauthenticated and returns unsanitized HTML content, any user who fetches meeting times receives and executes the attacker's injected script. The attack requires two distinct user roles: an insider or compromised account with ERP write access to plant the payload, and a target user accessing the self-service portal. This is classified as a stored XSS (CWE-79) rather than a reflected variant because the malicious script persists in the application's data store.

Business impact

This vulnerability enables account compromise, session hijacking, and credential theft for any user accessing course meeting times in Banner Self-Service. Faculty and students who regularly check schedules are exposed. For institutions, the risk includes reputational damage, potential regulatory compliance violations if student or employee data is exfiltrated, and operational disruption if attackers modify course information visible to users. The attack chain requires insider access or a compromised privileged account, limiting exposure to external threat actors but elevating risk from disgruntled staff or vendors with ERP write permissions. Institutions with shared administrative accounts or weak access controls face higher risk.

Affected systems

Ellucian Banner Self-Service versions prior to the April T2 release (2025-04-23) are affected. The specific vulnerable component is the course search functionality and the getFacultyMeetingTimes API endpoint. Only Banner instances configured to expose this self-service module are at risk. Institutions running patched or more recent releases are not affected.

Exploitability

Exploiting this vulnerability requires valid credentials with Banner ERP write access—a moderate barrier that limits opportunistic external attacks but poses significant insider risk. An attacker must first inject payloads into faculty or course fields, which requires familiarity with Banner's administrative interfaces. Once stored, the payload executes automatically whenever any user queries meeting times via the unauthenticated API, requiring no additional interaction from the attacker. The CVSS score of 5.4 (Medium) reflects the requirement for prior authentication, though the widespread exposure via an unauthenticated endpoint and the potential for persistent data exfiltration or session theft elevate practical concern. No active exploits have been added to CISA's Known Exploited Vulnerabilities catalog as of this writing.

Remediation

Apply the April T2 release (2025-04-23) or later versions of Ellucian Banner Self-Service immediately. This patch introduces proper HTML encoding for faculty and course metadata before DOM insertion. Organizations unable to patch immediately should restrict access to the getFacultyMeetingTimes API endpoint through network controls or Web Application Firewall (WAF) rules, enforce the principle of least privilege for Banner ERP write access, and monitor activity logs for suspicious modifications to faculty and course fields.

Patch guidance

Upgrade to Ellucian Banner Self-Service April T2 release (2025-04-23) or later. Before applying any patch, validate compatibility with your current Banner version and dependent systems, test in a non-production environment, and coordinate downtime with academic calendars to minimize disruption. Ellucian recommends reviewing your current release level in the Banner administration console (System Administration > Release Information). Consult Ellucian's official advisory for detailed step-by-step patching procedures and rollback instructions specific to your deployment architecture.

Detection guidance

Search application logs and web server access logs for requests to the getFacultyMeetingTimes endpoint, particularly those retrieving course metadata. Look for unusual patterns in faculty displayName, emailAddress, or course title fields—specifically entries containing HTML tags, JavaScript keywords (e.g., 'onclick', 'onerror', '<script>'), or URL-encoded special characters. Review Banner ERP audit logs for changes to course and faculty records made by unexpected user accounts or at unusual times. Implement a WAF rule to block requests containing common XSS payloads in API responses. Browser console errors or unexpected JavaScript execution on Banner Self-Service pages may also signal exploitation.

Why prioritize this

Although the CVSS score is Medium (5.4), the vulnerability merits prompt attention due to its stored nature—once injected, malicious payloads persist and affect all subsequent users—and the broad exposure through an unauthenticated API endpoint. The risk is elevated for institutions with weak access controls on Banner ERP write permissions or those using shared administrative credentials. However, active external exploitation appears unlikely without prior system access, making this lower priority than critical or high-severity vulns. Prioritize patching for institutions with high student or faculty access to the self-service portal.

Risk score, explained

The CVSS 3.1 score of 5.4 reflects a Medium severity assessment based on: (1) authentication requirement (PR:L)—only Banner ERP users with write access can inject payloads; (2) user interaction required (UI:R)—a victim must visit the course meeting times page; (3) changed scope (S:C)—the payload affects resources beyond the Banner ERP system; and (4) low impact on confidentiality and integrity (C:L, I:L), with no availability impact. The score does not heavily penalize the stored nature of the XSS or the widespread exposure via an unauthenticated API; therefore, practical risk may feel higher in environments with permissive ERP access controls or high self-service portal usage.

Frequently asked questions

Can an unauthenticated attacker exploit this directly?

No. The initial injection requires valid Banner ERP credentials and write access to course or faculty records. However, once a payload is stored, unauthenticated users accessing the getFacultyMeetingTimes API endpoint will receive and execute the malicious script. This two-stage attack requires an insider or compromised privileged account.

What data is at risk if my session is hijacked via this XSS?

An attacker executing JavaScript in your browser can steal session cookies, access FERPA-protected student records, modify course information, or redirect you to phishing sites. The scope of damage depends on your user role (student, faculty, administrator) and what data your session can access in Banner.

Do I need to patch if I don't use the self-service portal?

If your institution does not expose Banner Self-Service to users or does not enable the course search functionality, direct risk is minimal. However, internal testing or future enablement means the vulnerability should still be remediated to avoid latent exposure.

Can the patch be applied without downtime?

That depends on your Banner deployment architecture and Ellucian's specific guidance for this patch. Some updates may be applied as rolling patches with minimal disruption; others may require a scheduled maintenance window. Consult your Ellucian representative and release notes for your specific configuration.

This analysis is based on publicly available information as of the published and modified dates. Patch version numbers and release dates are sourced directly from vendor advisories and should be verified against your Ellucian support portal before deployment. No exploit code or proof-of-concept is provided. This vulnerability intelligence is offered for informational purposes to support risk assessment and remediation planning; it does not constitute formal security advice. Organizations should conduct their own threat modeling, impact assessment, and testing in isolated environments before applying patches to production systems. SEC.co makes no warranty regarding the completeness or accuracy of this intelligence and assumes no liability for decisions made in reliance upon it. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).