Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM147A4A45B7F74A2460AB0B30F03465821EDE2901DCB6027BFF8FD700A46C6ED2
HistoryApr 28, 2021 - 6:35 p.m.

Security Bulletin: Multiple Security Vulnerabilities affect IBM® Rational® Quality Manager

2021-04-2818:35:50
www.ibm.com
11

0.064 Low

EPSS

Percentile

93.7%

JSON

Summary

IBM® Rational® Quality Manager is vulnerable to multiple security vulnerabilities.

Vulnerability Details

CVEID: CVE-2017-1649 DESCRIPTION: IBM Quality Manager (RQM) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/133259&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2018-1395 DESCRIPTION: IBM Quality Manager (RQM) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/138427&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2018-1405 DESCRIPTION: IBM Quality Manager (RQM) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/138441&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2018-1404 DESCRIPTION: IBM Quality Manager (RQM) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/138440&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2018-1403 DESCRIPTION: IBM Quality Manager (RQM) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/138439&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2018-1439 DESCRIPTION: IBM Quality Manager (RQM) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139589&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2018-1440 DESCRIPTION: IBM Quality Manager (RQM) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139595&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2018-1522 DESCRIPTION: IBM Quality Manager (RQM) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141803&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2018-1557 DESCRIPTION: IBM Quality Manager (RQM) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/142955&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2018-1601 DESCRIPTION: IBM Quality Manager (RQM) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/143791&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2010-2232 DESCRIPTION: Apache Derby could allow a remote attacker to overwrite arbitrary files, caused by a flaw in the Export functionality. An attacker could exploit this vulnerability to overwrite arbitrary files on the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134130&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2017-5662 DESCRIPTION: Apache Batik could allow a remote authenticated attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data. By using a specially-crafted SVG file, a remote attacker could exploit this vulnerability to obtain sensitive information or possibly cause a denial of service.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/125198&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

CVEID: CVE-2009-4521 DESCRIPTION: Eclipse BIRT is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the report viewer. A remote attacker could exploit this vulnerability using the __report parameter to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials. Note: KonaKart uses BIRT and is also vulnerable.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/53773&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2018-1605 DESCRIPTION: IBM Quality Manager (RQM) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/143795&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2018-1692 DESCRIPTION: IBM Quality Manager (RQM) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/145583&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2018-1691 DESCRIPTION: IBM Quality Manager (RQM) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/145582&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Rational Collaborative Lifecycle Management 5.0 - 6.0.6

Rational Quality Manager 6.0 - 6.0.6
Rational Quality Manager 5.0 - 5.0.2

Remediation/Fixes

For the 6.0.x releases:

For the 5.x releases, upgrade to version 5.0.2 iFix27 or later

Workarounds and Mitigations

None

Related

prion 16
nvd 16
nessus 12
openvas 5
veracode 2
ibm 9
cve 16
cvelist 16
ubuntu 1
fedora 3
github 2
osv 5
redhatcve 1
debiancve 2
ubuntucve 1
debian 3
redhat 3
oracle 4
prion
prion
Cross site scripting
2009-12-31 19:30:00
Design/Logic Flaw
2017-10-23 13:29:00
Cross site scripting
2018-10-02 15:29:00
nvd
nvd
CVE-2009-4521
2009-12-31 19:30:00
CVE-2017-5662
2017-04-18 14:59:00
CVE-2010-2232
2017-10-23 13:29:00
nessus
nessus
Debian DLA-926-1 : batik security update
2017-05-01 00:00:00
Fedora 24 : batik (2017-aff3dd3101)
2017-05-10 00:00:00
Fedora 25 : batik (2017-43b46cd2da)
2017-05-10 00:00:00
openvas
openvas
Fedora Update for batik FEDORA-2017-aff3dd3101
2017-05-10 00:00:00
Fedora Update for batik FEDORA-2017-43b46cd2da
2017-05-10 00:00:00
Debian: Security Advisory (DLA-926-1)
2018-01-16 00:00:00
veracode
veracode
Information Disclosure Through An External XML Entity (XXE) Vulnerability
2017-04-19 01:00:17
Unauthorized File Overwrite
2017-10-24 03:50:39
ibm
ibm
Security Bulletin: Vulnerability in Apache Batik affects IBM Maximo Asset Management (CVE-2017-5662)
2018-06-17 15:45:59
Security Bulletin: Vulnerability in Apache Batik affects IBM Cúram Social Program Management (CVE-2017-5662)
2018-06-17 13:09:43
Security Bulletin: Multiple Vulnerabilities discovered in libraries used by TCRtoolkit in ITNM
2023-01-04 15:55:01
cve
cve
CVE-2009-4521
2009-12-31 19:30:00
CVE-2017-5662
2017-04-18 14:59:00
CVE-2018-1605
2018-10-02 15:29:02
cvelist
cvelist
CVE-2009-4521
2009-12-31 19:00:00
CVE-2017-5662
2017-04-18 14:00:00
CVE-2018-1605
2018-10-01 00:00:00
ubuntu
ubuntu
Apache Batik vulnerability
2017-05-09 00:00:00
fedora
fedora
[SECURITY] Fedora 26 Update: batik-1.9-3.fc26
2017-05-09 21:29:07
[SECURITY] Fedora 25 Update: batik-1.8-9.fc25
2017-05-10 04:02:57
[SECURITY] Fedora 24 Update: batik-1.8-9.fc24
2017-05-10 03:55:54
github
github
Improper Restriction of XML External Entity Reference in Apache Batik
2022-05-13 01:14:24
Improper Access Control in Apache Derby
2022-05-17 00:29:52
osv
osv
CVE-2017-5662
2017-04-18 14:59:00
Improper Access Control in Apache Derby
2022-05-17 00:29:52
Improper Restriction of XML External Entity Reference in Apache Batik
2022-05-13 01:14:24
redhatcve
redhatcve
CVE-2010-2232
2017-11-10 21:19:35
debiancve
debiancve
CVE-2010-2232
2017-10-23 13:29:00
CVE-2017-5662
2017-04-18 14:59:00
ubuntucve
ubuntucve
CVE-2017-5662
2017-04-18 00:00:00
debian
debian
[SECURITY] [DLA 926-1] batik security update
2017-04-29 15:41:39
[SECURITY] [DSA 4215-1] batik security update
2018-06-02 08:13:08
[SECURITY] [DSA 4215-1] batik security update
2018-06-02 08:13:08
redhat
redhat
(RHSA-2017:2546) Important: Red Hat JBoss BPM Suite 6.4.5 security update
2017-08-29 19:31:56
(RHSA-2017:2547) Important: Red Hat JBoss BRMS 6.4.5 security update
2017-08-29 19:32:06
(RHSA-2018:0319) Important: Red Hat JBoss Fuse/A-MQ 6.3 R6 security and bug fix update
2018-02-14 19:27:14
oracle
oracle
Oracle Critical Patch Update - April 2018
2018-04-17 00:00:00
Oracle Critical Patch Update - October 2017
2017-10-17 00:00:00
CPU July 2018
2018-07-17 00:00:00

0.064 Low

EPSS

Percentile

93.7%

JSON
Related for 147A4A45B7F74A2460AB0B30F03465821EDE2901DCB6027BFF8FD700A46C6ED2
prion16nvd16nessus12openvas5veracode2ibm9cve16cvelist16ubuntu1fedora3github2osv5redhatcve1debiancve2ubuntucve1debian3redhat3oracle4