Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-49339 PoC — Ellucian 安全漏洞

Source
https://github.com/3zizme/CVE-2023-49339
Associated Vulnerability
Title:Ellucian 安全漏洞 (CVE-2023-49339)
Description:Ellucian Banner 9.17 allows Insecure Direct Object Reference (IDOR) via a modified bannerId to the /StudentSelfService/ssb/studentCard/retrieveData endpoint.
Description
Critical Security Vulnerability in Ellucian Banner System
Readme
# CVE-2023-49339 Security Vulnerability Report: Ellucian Banner System

## Introduction

This document outlines a critical security vulnerability found in the Ellucian Banner System, particularly in version 9.17 and earlier versions. The vulnerability has been identified in systems used by various universities in Saudi Arabia, potentially exposing sensitive student data.

## Vulnerability Details

- **Type:** Insecure Direct Object Reference (IDOR)
- **Endpoint Affected:** `/StudentSelfService/ssb/studentCard/retrieveData`
- **Parameter in Question:** `bannerId`
- **Impact:** Unauthorized exposure of sensitive student data, including personal identifiers, academic records, and contact information.

### Steps to Reproduce

1. Log in to the Banner system using legitimate user credentials.
2. Navigate to the URL endpoint that retrieves student card information.
3. Modify the `bannerId` parameter in the URL to a different student's identifier.
4. Observe that the system displays information for the altered `bannerId`, bypassing necessary authorization checks.

## Affected Versions

The vulnerability impacts the Ellucian Banner System, version 9.17 and earlier. It is crucial for institutions using these versions to take immediate action to mitigate the risks.

## Recommended Actions

1. **Immediate Patching:** Ellucian should urgently develop and release a security patch for the affected versions.
2. **Enhanced Authorization Checks:** Implement strict authorization checks on the affected endpoint.
3. **System Audit:** Conduct a thorough audit to identify and fix similar vulnerabilities.
4. **Regular Updates and Training:** Establish protocols for regular system updates and user training on security best practices.
5. **Ongoing Monitoring:** Continuously monitor the system for signs of unauthorized access or exploitation attempts.


## CVE Submission

This vulnerability has been registered with the CVE ID: CVE-2023-49339. Further details and updates regarding the vulnerability will be provided as they become available.

## By

Abdulaziz Naif Almadhi

---
File Snapshot

 [4.0K]  /data/pocs/020c25527fe9822bb36d4fb4132770e9db433591
└── [2.0K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →