Vulnerabilities in the IBM Rational Publishing Engine affects the Document Builder (RPENG).
CVEID: CVE-2016-2912**
DESCRIPTION:** IBM Rational Publishing Engine is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base Score: 5.4
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/113248 _for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2016-2914**
DESCRIPTION:** IBM Rational Publishing Engine could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions. A remote authenticated attacker could exploit this vulnerability to upload a malicious file, which could allow the attacker to execute code on the vulnerable system.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113251 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L)
Effective CVSS Score: (score will update after page submission)
5.40
Rational Publishing Engine 2.0.1
_
Note: Users who use only RPE Studio and Launcher are not affected by this problem_
For 2.0.1 release, upgrade to version 2.0.1 ifix002 or later
None