CVE-2023-2822

MEDIUM NUCLEI

Ellucian Ethos Identity <5.10.5 - XSS

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-2822. PoCs published by cberman. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Flask application demonstrating CVE-2023-2822, a reflected XSS vulnerability in Ellucian Ethos Identity CAS logout page. The app intentionally includes a vulnerable endpoint that reflects user input without proper sanitization, allowing XSS exploitation.

Description

A vulnerability was found in Ellucian Ethos Identity up to 5.10.5. It has been classified as problematic. Affected is an unknown function of the file /cas/logout. The manipulation of the argument url leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 5.10.6 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-229596.

Exploits (1)

nomisec WORKING POC 3 stars

by cberman · poc

https://github.com/cberman/CVE-2023-2822-demo

View Code ZIP pw:eip

This repository contains a functional Flask application demonstrating CVE-2023-2822, a reflected XSS vulnerability in Ellucian Ethos Identity CAS logout page. The app intentionally includes a vulnerable endpoint that reflects user input without proper sanitization, allowing XSS exploitation.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Ellucian Ethos Identity CAS (version not specified)

No auth needed

Prerequisites: Access to the vulnerable endpoint · Ability to craft malicious URLs

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Ellucian Ethos Identity CAS - Cross-Site Scripting

MEDIUMby Guax1

Shodan: html:"Ellucian Company" || http.html:"ellucian company"

FOFA: body="ellucian company"

References (4)

Core 4

Core References

Permissions Required, Third Party Advisory, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.229596

Permissions Required, Third Party Advisory, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.229596

Exploit, Third Party Advisory related

https://medium.com/@cyberninja717/reflected-cross-site-scripting-vulnerability-in-ellucian-ethos-identity-cas-logout-page-685bb1675dfb

Exploit, Third Party Advisory exploit

https://medium.com/@cyberninja717/685bb1675dfb

Scores

CVSS v3 4.3

EPSS 0.0330

EPSS Percentile 86.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

ellucian/ethos_identity < 5.10.6

Published May 20, 2023

Tracked Since Feb 18, 2026