Security Bulletin: XSS Vulnerability in IBM Jazz Foundation affects multiple IBM Rational products based on IBM Jazz technology (CVE-2015-0130)

Summary

A Cross-site Scripting vulnerability affects the following IBM Jazz Team Server based Applications: Collaborative Lifecycle Management (CLM), Rational Requirements Composer (RRC), Rational DOORS Next Generation (RDNG), Rational Team Concert (RTC), and Rational Quality Manager (RQM).

Vulnerability Details

CVEID: CVE-2015-0130**
DESCRIPTION:** IBM Jazz Foundation is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100543&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Affected Products and Versions

Rational Collaborative Lifecycle Management 4.0 - 5.0.2

Rational Quality Manager 4.0 - 4.0.7
Rational Quality Manager 5.0 - 5.0.2

Rational Team Concert 4.0 - 4.0.7
Rational Team Concert 5.0 - 5.0.2

Rational Requirements Composer 4.0 - 4.0.7

Rational DOORS Next Generation 4.0 - 4.0.7
Rational DOORS Next Generation 5.0 - 5.0.2

Remediation/Fixes

For the 5.x releases, upgrade to version 5.0.2 iFix5 or later

• Rational Collaborative Lifecycle Management 5.0.2 iFix5

• Rational Team Concert 5.0.2 iFix5

• Rational Quality Manager 5.0.2 iFix5

• Rational DOORS Next Generation 5.0.2 iFix5
  _
  _For the 4.x releases, upgrade to version 4.0.7 iFix6 or later

• Rational Collaborative Lifecycle Management 4.0.7 iFix6

• Rational Team Concert 4.0.7 iFix6

• Rational Quality Manager 4.0.7 iFix6

• Rational DOORS Next Generation 4.0.7 iFix6

Workarounds and Mitigations

None