Unrated severityNVD Advisory· Published Jun 25, 2009· Updated Apr 23, 2026

CVE-2009-2211

Description

Cross-site scripting (XSS) vulnerability in the CQWeb server in IBM Rational ClearQuest 7.0.0 before 7.0.0.6 and 7.0.1 before 7.0.1.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting vulnerability in IBM Rational ClearQuest CQWeb server allows remote attackers to inject arbitrary web script or HTML.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the CQWeb server component of IBM Rational ClearQuest versions 7.0.0 before 7.0.0.6 and 7.0.1 before 7.0.1.5. The issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors [1].

Exploitation

An attacker can exploit this vulnerability remotely without requiring authentication by sending crafted input to the CQWeb server. The exact vectors are not disclosed, but typical XSS exploitation involves injecting malicious scripts into web pages served by the application, which then execute in the context of the victim's browser.

Impact

Successful exploitation allows the attacker to execute arbitrary web script or HTML in the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. The scope of impact is limited to the browser session and the permissions of the victim user.

Mitigation

IBM has addressed this vulnerability in ClearQuest versions 7.0.0.6 and 7.0.1.5 [1]. No workarounds have been published. Users should upgrade to the fixed versions as soon as possible. This CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

References

PK77030: Security vulnerabilities reported for CQWeb server: 'Cross-Site Scripting' and 'Possible Username or Password Disclosure'.

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

IBM/Rational Clearquest15 versions
cpe:2.3:a:ibm:rational_clearquest:7.0:*:*:*:*:*:*:*+ 14 more
- cpe:2.3:a:ibm:rational_clearquest:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:rational_clearquest:7.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:rational_clearquest:7.0.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:rational_clearquest:7.0.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:rational_clearquest:7.0.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:rational_clearquest:7.0.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:rational_clearquest:7.0.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:rational_clearquest:7.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:rational_clearquest:7.0.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:rational_clearquest:7.0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:rational_clearquest:7.0.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:rational_clearquest:7.0.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:rational_clearquest:7.0.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:rational_clearquest:7.0.2:*:*:*:*:*:*:*
- (no CPE)range: >=7.0.0,<7.0.0.6;>=7.0.1,<7.0.1.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www-01.ibm.com/support/docview.wssnvdPatchVendor Advisory
secunia.com/advisories/35564nvdVendor Advisory
www.securitytracker.com/idnvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000