Cyber Resilience

CVE-2023-2822

MediumPublic PoC

Published: 20 May 2023

Published
20 May 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
EPSS Score 0.8099 99.2th percentile
Risk Priority 57 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-2822 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Ellucian Ethos Identity. Its CVSS base score is 4.3 (Medium).

Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A reflected cross-site scripting vulnerability exists in Ellucian Ethos Identity versions up to 5.10.5. The issue resides in an unknown function of the /cas/logout endpoint, where unsanitized input to the url parameter allows arbitrary script injection. The flaw is tracked as CWE-79 and carries a CVSS 3.1 base score of 4.3.

An unauthenticated remote attacker can exploit the weakness by supplying a crafted URL that is later rendered in a victim's browser. Successful exploitation permits the attacker to execute script in the context of the affected user, resulting in limited integrity impact such as content modification or session manipulation. The attack requires user interaction, typically in the form of clicking a malicious link.

The vendor has addressed the issue in version 5.10.6. Public references, including a detailed disclosure on Medium, confirm that the exploit code has been released and recommend immediate upgrade of the affected component.

The associated EPSS score currently stands at 0.8099 with a recorded peak of 0.8367, indicating sustained moderate exploitation interest following public disclosure.

EU & UK References

Vulnerability details

A vulnerability was found in Ellucian Ethos Identity up to 5.10.5. It has been classified as problematic. Affected is an unknown function of the file /cas/logout. The manipulation of the argument url leads to cross site scripting. It is possible…

more

to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 5.10.6 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-229596.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ellucian
ethos identity
≤ 5.10.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References