IBM.Collaborative.Lifecycle.Management.XSS

Description

This indicates the detection of an attack attempt against a cross-site scripting vulnerability in IBM Jazz based Applications.
The vulnerability is caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

Affected Products

Rational Collaborative Lifecycle Management 3.0.1.6 - 6.0.2
Rational Quality Manager 3.0.1.6
Rational Quality Manager 4.0 - 4.0.7
Rational Quality Manager 5.0 - 5.0.2
Rational Quality Manager 6.0 - 6.0.2
Rational Team Concert 3.0.1.6
Rational Team Concert 4.0 - 4.0.7
Rational Team Concert 5.0 - 5.0.2
Rational Team Concert 6.0 - 6.0.2
Rational DOORS Next Generation 4.0 - 4.0.7
Rational DOORS Next Generation 5.0 - 5.0.2
Rational DOORS Next Generation 6.0 - 6.0.2
Rational Engineering Lifecycle Manager 4.0.3 - 4.0.7
Rational Engineering Lifecycle Manager 5.0 - 5.0.2
Rational Engineering Lifecycle Manager 6.0 - 6.0.2
Rational Rhapsody Design Manager 4.0 - 4.0.7
Rational Rhapsody Design Manager 5.0 - 5.0.2
Rational Rhapsody Design Manager 6.0 - 6.0.2
Rational Software Architect Design Manager 4.0 - 4.0.7
Rational Software Architect Design Manager 5.0 - 5.0.2
Rational Software Architect Design Manager 6.0 - 6.0.2

Impact

System Compromise: Remote attackers can execute arbitrary script code within the context of the target system

Recommended Actions

Upgrade to the latest version from the vendor.
http://www-01.ibm.com/support/docview.wss?uid=swg21991478

References