Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-49339 PoC — Ellucian 安全漏洞

Source
https://github.com/3zizme/CVE-2023-49339
Associated Vulnerability
Title:Ellucian 安全漏洞 (CVE-2023-49339)
Description:Ellucian是Ellucian公司的支持 SaaS 的开放和灵活技术生态系统。 Ellucian Banner 9.17及之前版本存在安全漏洞,该漏洞源于端点/StudentSelfService/ssb/studentCard/retrieveData存在不安全直接对象引用(IDOR)漏洞。
Description
Critical Security Vulnerability in Ellucian Banner System
Readme
# CVE-2023-49339 Security Vulnerability Report: Ellucian Banner System

## Introduction

This document outlines a critical security vulnerability found in the Ellucian Banner System, particularly in version 9.17 and earlier versions. The vulnerability has been identified in systems used by various universities in Saudi Arabia, potentially exposing sensitive student data.

## Vulnerability Details

- **Type:** Insecure Direct Object Reference (IDOR)
- **Endpoint Affected:** `/StudentSelfService/ssb/studentCard/retrieveData`
- **Parameter in Question:** `bannerId`
- **Impact:** Unauthorized exposure of sensitive student data, including personal identifiers, academic records, and contact information.

### Steps to Reproduce

1. Log in to the Banner system using legitimate user credentials.
2. Navigate to the URL endpoint that retrieves student card information.
3. Modify the `bannerId` parameter in the URL to a different student's identifier.
4. Observe that the system displays information for the altered `bannerId`, bypassing necessary authorization checks.

## Affected Versions

The vulnerability impacts the Ellucian Banner System, version 9.17 and earlier. It is crucial for institutions using these versions to take immediate action to mitigate the risks.

## Recommended Actions

1. **Immediate Patching:** Ellucian should urgently develop and release a security patch for the affected versions.
2. **Enhanced Authorization Checks:** Implement strict authorization checks on the affected endpoint.
3. **System Audit:** Conduct a thorough audit to identify and fix similar vulnerabilities.
4. **Regular Updates and Training:** Establish protocols for regular system updates and user training on security best practices.
5. **Ongoing Monitoring:** Continuously monitor the system for signs of unauthorized access or exploitation attempts.


## CVE Submission

This vulnerability has been registered with the CVE ID: CVE-2023-49339. Further details and updates regarding the vulnerability will be provided as they become available.

## By

Abdulaziz Naif Almadhi

---
File Snapshot

 [4.0K]  /data/pocs/020c25527fe9822bb36d4fb4132770e9db433591
└── [2.0K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.