Vulnerability CVE-2017-1653


Published: 2018-01-26

Description:
IBM Jazz Foundation (IBM Rational Collaborative Lifecycle Management 6.0.x) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 133268.

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

Vendor: IBM
Product: Rational doors next generation 
Version:
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
Product: Rational team concert 
Version:
6.0.3
6.0.1
6.0.0
6.0
Product: Rational rhapsody design manager 
Version:
6.0.3
6.0.2
6.0.1
6.0.0
6.0
Product: Rational quality manager 
Version:
6.0.3
6.0.2
6.0.1
6.0.0
6.0
Product: Rational engineering lifecycle manager 
Version:
6.0.3
6.0.2
6.0.1
6.0.0
6.0
Product: Rational collaborative lifecycle management 
Version:
6.0.3
6.0.1
6.0.0
6.0
Product: Rational software architect design manager 
Version: 6.0.1; 6.0;

CVSS2 => (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
3.5/10
2.9/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://www.ibm.com/support/docview.wss?uid=swg22012712
http://www.securityfocus.com/bid/102853
http://www.securitytracker.com/id/1040305
http://www.securitytracker.com/id/1040306
http://www.securitytracker.com/id/1040307
https://exchange.xforce.ibmcloud.com/vulnerabilities/133268

Related CVE
CVE-2018-1669
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 are vulnerable to a XML External Entity Injection (X...
CVE-2018-1664
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 echoing of AMP management interface authorization he...
CVE-2018-1659
IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potenti...
CVE-2018-1588
IBM Jazz Foundation (IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6) is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expo...
CVE-2018-1560
IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potenti...
CVE-2018-1674
IBM Business Process Manager 8.5 through 8.6 and 18.0.0.0 through 18.0.0.1 are vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in th...
CVE-2018-1719
IBM WebSphere Application Server 8.5 and 9.0 could provide weaker than expected security under certain conditions. This could result in a downgrade of TLS protocol. A remote attacker could exploit this vulnerability to perform man-in-the-middle attac...
CVE-2018-1698
IBM Maximo Asset Management 7.6 through 7.6.3 could allow an unauthenticated attacker to obtain sensitive information from error messages. IBM X-Force ID: 145967.

Copyright 2018, cxsecurity.com

 

Back to Top