Security Bulletin: ClearQuest Cross-Site Scripting (XSS) Vulnerability (CVE-2012-2205)

Summary

IBM Rational ClearQuest Web client contains a Cross-Site Scripting vulnerability.

Vulnerability Details

| Subscribe to My Notifications to be notified of important product support alerts like this.

• Follow this link for more information (requires login with your IBM ID)
  —|—

CVE ID: CVE-2012-2205

Description: The ClearQuest Web client contains a Cross-Site Scripting vulnerability.

This vulnerability does not exist in the ClearQuest desktop clients or command line utilities.

CVSS Base Score: 3.5 **CVSS Temporal Score:**See<https://exchange.xforce.ibmcloud.com/vulnerabilities/77094&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Affected Products and Versions

ClearQuest Web Clients prior to version 7.1.2.7 or 8.0.0.3.

Remediation/Fixes

Upgrade to one of the following releases:

• Rational ClearQuest Fix Pack 3 (8.0.0.3) for 8.0
• Rational ClearQuest Fix Pack 7 (7.1.2.7) for 7.1.2

Workarounds and Mitigations

Workaround:

Use ClearQuest desktop applications.

Mitigation:

Examine text names in the ClearQuest Web client and do not input or execute text names that attempt to execute JavaScript code.