CVE-2016-9733

IBM Team Concert (RTC) is affected by multiple cross-site scripting vulnerabilities, including CVE-2016-9733, in the Web UI across RTC 4.0–6.0.x. The root cause is XSS in the Web UI that can allow injected JavaScript to run in a trusted session, potentially leading to credential disclosure. Remed...

CVE-2016-9746

IBM Team Concert (RTC) is affected by cross-site scripting in its Web UI across Rational Collaborative Lifecycle Management 4.0–6.0.3 and RTC 4.0–6.0.3. The IBM Security Bulletin (D6F8507E.../IBM) details multiple XSS vulnerabilities (including CVE-2016-9746) allowing arbitrary JavaScript executi...

CVE-2016-9733

IBM Team Concert RTC 4.0, 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 119762...

CVE-2016-9746

IBM Team Concert RTC 4.0, 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 119821...

CVE-2017-1113

IBM Rational Team Concert RTC 4.0, 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID:...

CVE-2016-6037

The CVE-2016-6037 entry relates to an HTML injection vulnerability in IBM Rational Team Concert (RTC). A remote attacker with project administrator privileges can push a project containing malicious HTML that is executed in the victim’s browser within the hosting site’s security context. Affected...

CVE-2017-1103

The CVE-2017-1103 issue affects IBM Team Concert (RTC) as part of Rational Collaborative Lifecycle Management and related RTC/QM components. It is caused by an XML External Entity (XXE) injection when processing XML data, enabling a remote attacker to potentially disclose sensitive information or...

CVE-2016-6037

IBM Rational Team Concert RTC is vulnerable to HTML injection. A remote attacker with project administrator privileges could send a project that contains malicious HTML code, which when the project is viewed, would be executed in the victim's Web browser within the security context of the hosting...

CVE-2017-1103

IBM Team Concert RTC is vulnerable to a denial of service, caused by an XML External Entity Injection XXE error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM X-Force ID: 120665...

CVE-2016-0273

The CVE-2016-0273 entry applies to IBM Jazz-based CLM suite (and related products: RQM, RTC, RDNG, RELM, Rhapsody DM, RSA DM, etc.) with a cross-site scripting vulnerability exploitable by remote authenticated users via a specially crafted URL to inject arbitrary web script/HTML. The root cause i...

CVE-2016-0325

CVE-2016-0325 affects IBM Jazz-based CLM stack (Rational CLM/RQM/RRTC/RDNG/RELM/RSA DM and related) with multiple versions vulnerable prior to specific iFixes. The issue allows an authenticated remote attacker to execute arbitrary OS commands via a crafted HTTP request, impacting several CLM comp...

CVE-2016-0372

CVE-2016-0372 affects IBM Jazz-based CLM/RTC/RQM and related products. The vulnerability stems from not setting the secure flag on the session cookie in SSL mode, allowing a remote attacker to capture the cookie over HTTP. Impact is cookie exposure, not full remote code execution. Affected versio...

CVE-2016-9372

In Wireshark 2.2.0 to 2.2.1, the Profinet I/O dissector could loop excessively, triggered by network traffic or a capture file. This was addressed in plugins/profinet/packet-pn-rtc-one.c by rejecting input with too many I/O objects...

The RFC 5114 saga

Back in January I posed a question "to the Internet": What the heck is RFC 5114? It looks like a lot happened since then around it. I would like to use this post to recollect some of the stuff around RFC5114 . Chapter 0: October 2007 RFC5114 draft was submitted to the IETF . Chapter I: January 20...

Mozilla Firefox and Firefox ESR WebRTC socket thread memory misreference vulnerability

Mozilla Firefox is an open source web browser; Firefox ESR is an extended support version of Firefox. A memory misreference vulnerability exists in the WebRTC socket thread of Mozilla Firefox and Firefox, which can be exploited by a remote attacker to construct a malicious WEB page and trick the...

CVE-2016-2865

The GIT Integration component in IBM Rational Team Concert RTC 5.x before 5.0.2 iFix14 and 6.x before 6.0.1 iFix5 and Rational Collaborative Lifecycle Management 5.x before 5.0.2 iFix14 and 6.x before 6.0.1 iFix5 allows remote authenticated users to obtain sensitive information via a malformed...

CVE-2016-2865

IBM TTC GIT Integration in RTC (5.x up to 5.0.2 iFix14; 6.x up to 6.0.1 iFix5) and Rational CLM 5.x/6.x exposes a vulnerability where a authenticated remote user can cause a malformed request to disclose sensitive information. The IBM security bulletin confirms affected products and provides reme...

rtc-spa.it XSS vulnerability

Vulnerable URL: http://www.rtc-spa.it/wp-includes/js/mediaelement/flashmediaelement.swf?jsinitfunctio%gn=alertOPENBUGBOUNTY Details: Description| Value ---|--- Patched:| No Latest check for patch:| 30.07.2017 Vulnerability type:| XSS Vulnerability status:| Publicly disclosed Alexa Rank| 2573656 V...

CVE-2016-3973

Affected software: SAP NetWeaver AS Java RTC chat feature (WD_CHAT) in RTC 7.3–7.4 (likely 7.1–7.5). Root cause / vulnerability: Information disclosure via a crafted HTTP interaction with the chat UI; an anonymous attacker can access user information by navigating to webdynpro/resources/sap.com/t...

Firefox browser vulnerabilities that allow a hacker to trigger a service failure or cause other effects

Multiple vulnerabilities in the dom/media/systemservices/CamerasChild.cpp function of the Firefox WebRTC browser implementation are caused by synchronization errors when using a shared resource. Exploitation of these vulnerabilities could allow a malicious actor to cause service failures or other...