CVE-2016-6037

Vulnerability

IBM Rational Team Concert (RTC) is affected by an HTML injection vulnerability [1]. A remote attacker with project administrator privileges can craft a project containing malicious HTML code. When the project is viewed by another user, the injected HTML executes in the victim's web browser within the security context of the hosting site. The CVSS vector (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N) indicates low confidentiality and integrity impact with a changed scope [1].

Exploitation

To exploit this vulnerability, an attacker must have project administrator privileges in RTC [1]. The attacker sends a project that includes malicious HTML code. No additional user interaction is required beyond the victim viewing the project. The malicious HTML is rendered in the victim's browser, executing within the security context of the RTC site.

Impact

Successful exploitation allows the attacker to inject arbitrary HTML into the victim's browser session [1]. This can lead to credential disclosure, session hijacking, or other actions that the victim can perform within the RTC application. The CVSS score of 4.8 (Medium) reflects the requirement for high privileges and user interaction, but the scope change means the injected content can affect resources beyond the vulnerable component.

Mitigation

IBM has released a security bulletin addressing this vulnerability [1]. Users should apply the latest updates provided by IBM for Rational Team Concert. No workarounds are documented in the available reference. Organizations should review the bulletin and apply the fix to affected installations.