Lucene search

IbmVULNRICHMENT:CVE-2023-28525

HistoryMar 01, 2024 - 1:41 a.m.

CVE-2023-28525 IBM Engineering Requirements Management cross-site scripting

2024-03-0101:41:48

CWE-79

ibm

github.com

ibm

engineering requirements management

cross-site scripting

vulnerability

disclosure

javascript

web ui

credentials.

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

AI Score

Confidence

High

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

IBM Engineering Requirements Management 9.7.2.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 251052.

CNA Affected

[
  {
    "vendor": "IBM",
    "product": "Engineering Requirements Management",
    "versions": [
      {
        "status": "affected",
        "version": "9.7.2.7"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

exchange.xforce.ibmcloud.com/vulnerabilities/251052

www.ibm.com/support/pages/node/7124058