-----
Product: Banner Student
Vendor: Ellucian Company L.P.
Vulnerable Version: 8.5.1.2 - 8.7
Tested Version: 8.7
Vendor Notification: June 18, 2015
Public Disclosure: December 2, 2015
Vulnerability Type: URL Redirection to Untrusted Site ('Open Redirect') [CWE-601]
CVE Reference: CVE-2015-5054
Risk Level: Medium
CVSSv2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CVSSv3 Base Score: 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/
Mitigation: None, Upgrade to 8.7.1.2
Discovered and Provided: RiskSense, Inc.
Advisory Details:
Open Redirect in Ellucian Banner Student: CVE-2015-5054
A user can be redirected to a malicious page when a link is clicked from a crafted URL.
References:
[1] Ellucian Company L.P. - http://www.ellucian.com/
[2] Banner Student - http://www.ellucian.com/
[3] OWASP A10 - https://www.owasp.org/index.
[4] CWE-601 - https://cwe.mitre.org/data/
-----
Product: Banner Student
Vendor: Ellucian Company L.P.
Vulnerable Version: 8.5.1.2
Tested Version: 8.5.1.2
Vendor Notification: June 18, 2015
Public Disclosure: December 2, 2015
Vulnerability Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79]
CVE Reference: CVE-2015-4687
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSSv3 Base Score: 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/
Mitigation: None, Upgrade to 8.7.1.2
Discovered and Provided: Ellucian Company L.P.
Advisory Details:
Reflected Cross-Site Scripting (XSS) in Ellucian Banner Student: CVE-2015-4687
Unsanitized data input from application parameters allows an attacker to execute arbitrary JavaScript code using a malicious URL.
References:
[1] Ellucian Company L.P. - http://www.ellucian.com/
[2] Banner Student - http://www.ellucian.com/
[3] OWASP A3 - https://www.owasp.org/index.
[4] CWE-79 - https://cwe.mitre.org/data/
-----
Product: Banner Student
Vendor: Ellucian Company L.P.
Vulnerable Version: 8.5.1.2 - 8.7
Tested Version: 8.7
Vendor Notification: June 18, 2015
Public Disclosure: December 2, 2015
Vulnerability Type: Information Exposure Through Discrepancy [CWE-203]
CVE Reference: CVE-2015-4688
Risk Level: Medium
CVSSv2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSSv3 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/
Mitigation: None, Upgrade to 8.7.1.2
Discovered and Provided: Ellucian Company L.P.
Advisory Details:
User Enumeration in Ellucian Banner Student: CVE-2015-4688
Differences between server responses can be used to brute-force user accounts in the system.
References:
[1] Ellucian Company L.P. - http://www.ellucian.com/
[2] Banner Student - http://www.ellucian.com/
[3] OWASP A2 - https://www.owasp.org/index.
[4] CWE-203 - https://cwe.mitre.org/data/
-----
Product: Banner Student
Vendor: Ellucian Company L.P.
Vulnerable Version: 8.5.1.2 - 8.7
Tested Version: 8.7
Vendor Notification: June 18, 2015
Public Disclosure: December 2, 2015
Vulnerability Type: Weak Password Recovery Mechanism for Forgotten Password [CWE-640]
CVE Reference: CVE-2015-4689
Risk Level: Medium - High
CVSSv2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CVSSv3 Base Score: 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/
Mitigation: None, Upgrade to 8.7.1.2
Discovered and Provided: Ellucian Company L.P.
Advisory Details:
Weak Password Reset in Ellucian Banner Student: CVE-2015-4689
An attacker is able to change login credentials of users through a weak password reset mechanism.
References:
[1] Ellucian Company L.P. - http://www.ellucian.com/
[2] Banner Student - http://www.ellucian.com/
[3] OWASP A2 - https://www.owasp.org/index.
[4] CWE-640 - https://cwe.mitre.org/data/
-----
RiskSense, Inc. Security Analysts: Dylan Davis, Sean Dillon, Zachary Harding
Komentarų nėra:
Rašyti komentarą