CVE-2023-49339

Name of the Vulnerable Software and Affected Versions Ellucian Banner version 9.17

Description The issue allows Insecure Direct Object Reference (IDOR) via a modified bannerId to the "/StudentSelfService/ssb/studentCard/retrieveData" endpoint. This means an attacker could potentially access sensitive information by manipulating the bannerId parameter in the request to the specified endpoint.

Recommendations For Ellucian Banner version 9.17, consider restricting access to the "/StudentSelfService/ssb/studentCard/retrieveData" endpoint until a patch is available. As a temporary workaround, avoid using the modified bannerId parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.