Vulnerability CVE-2018-1952


Published: 2019-03-14

Description:
IBM Jazz Foundation (IBM Rational Engineering Lifecycle Manager 5.0 through 6.0.6) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 153495.

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

Vendor: IBM
Product: Rational team concert 
Version:
6.0.6
6.0.5
6.0.4
6.0.3
6.0.1
6.0.0
6.0
5.0.2
5.0.1
5.0.0
5.0
Product: Rational engineering lifecycle manager 
Version:
6.0.6
6.0.3
6.0.2
6.0.1
6.0.0
6.0
5.0.2
5.0.1
5.0.0
5.0
Product: Rational doors next generation 
Version:
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.0.2
5.0.1
5.0.0
5.0
Product: Rational quality manager 
Version:
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
6.0
5.0.2
5.0.1
5.0.0
5.0
Product: Rational rhapsody design manager 
Version:
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
6.0
5.0.2
5.0.1
5.0.0
5.0
Product: Rational collaborative lifecycle management 
Version:
6.0.6
6.0.5
6.0.4
6.0.3
6.0.1
6.0.0
6.0
5.0.2
5.0.1
5.0.0
5.0
Product: Rational software architect design manager 
Version:
6.0.1
6.0.0
6.0
5.0.2
5.0.1
5.0.0
5.0

CVSS2 => (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
3.5/10
2.9/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://www.ibm.com/support/docview.wss?uid=ibm10875340
http://www.securityfocus.com/bid/107435
https://exchange.xforce.ibmcloud.com/vulnerabilities/153495

Related CVE
CVE-2019-4279
IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. IBM X-Force ID: 160445.
CVE-2019-4119
IBM Cloud Private Kubernetes API server 2.1.0, 3.1.0, 3.1.1, and 3.1.2 can be used as an HTTP proxy to not only cluster internal but also external target IP addresses. IBM X-Force ID: 158145.
CVE-2019-4259
A security vulnerability has been identified in IBM Spectrum Scale 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.2.3, and 5.0.0 with CES stack enabled that could allow sensitive data to be included with service snaps. IBM X-Force ID: 160011.
CVE-2019-4204
IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, and 19.0.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially l...
CVE-2018-1990
IBM Cloud App Management V2018.2.0, V2018.4.0, and V2018.4.1 could allow an attacker to obtain sensitive configuration information using a specially crafted HTTP request. IBM X-Force ID: 154283.
CVE-2018-1790
IBM Financial Transaction Manager for Digital Payments for Multi-Platform 3.0.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. I...
CVE-2019-4208
IBM TRIRIGA Application Platform 3.5.3 and 3.6.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. ...
CVE-2019-4207
IBM TRIRIGA Application Platform 3.5.3 and 3.6.0 may disclose sensitive information only available to a local user that could be used in further attacks against the system. IBM X-Force ID: 159148.

Copyright 2019, cxsecurity.com

 

Back to Top