Security Bulletin: Open Redirect and Cross-Site Scripting Vulnerabilities in the Rational Change Help System (CVE-2012-2159, CVE-2012-2161)

Summary

Some scripts in the help system used by IBM Rational Change are vulnerable to open redirect or cross-site scripting attacks.

Vulnerability Details

| Subscribe to My Notifications to be notified of important product support alerts like this.

• Follow this link for more information (requires login with your IBM ID)
  —|—

CVE ID:CVE-2012-2159** **
**Description:**Some scripts used by the help system are vulnerable to redirects from trusted to untrusted web sites when users click a malicious link.

**CVSS Base Score:**4.3
**CVSS Temporal Score:*See <https://exchange.xforce.ibmcloud.com/vulnerabilities/74832&gt; for the current score
CVSS Environmental Score: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

**
CVE ID: CVE-2012-2161 **
**Description:**Some scripts used by the help system are vulnerable to cross-site scripting attacks. An attacker could potentially exploit this vulnerability to collect user credentials or cookie data when users click a malicious link.
** **CVSS Base Score: 4.3 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/74833&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

Any supported Rational Change Web Help platform

Remediation/Fixes

Upgrade to Rational Change Fix Pack 4 (5.3.0.4) for 5.3 or later.

Workarounds and Mitigations

Workaround: Use Rational Change remote help which connects to the Rational Change Information Center.

Mitigation: Do not trust URL links to the Rational Change Help system given by untrusted users. Examine the URL for extra parameters and text that are not related to the Rational Change Web Help system.