CVE-2017-1238

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in IBM Quality Manager (RQM) versions 5.0.x and 6.0 through 6.0.5. An authenticated user with the ability to enter data into the Web UI can inject arbitrary JavaScript code that is stored and later executed in the browser of other users viewing the same page [1]. The affected functionality is described as part of the general Web UI input handling.

Exploitation

The attacker must have a valid user account with at least the ability to submit or edit data in the RQM Web interface. No special privileges beyond standard user access are required. The attacker inserts malicious JavaScript into a vulnerable input field. When another user (including administrators) views the affected page, the injected script executes within the security context of the target's session [1]. The attack requires user interaction in that the victim must navigate to the tampered content.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to disclosure of the victim's session credentials or other sensitive information accessible within the trusted session, as well as alteration of the intended Web UI functionality [1]. The compromise is limited to the browser context (Reflected/Stored XSS with low privileges) but can lead to session hijacking or credential theft.

Mitigation

IBM released a fix as part of IBM Rational Quality Manager 6.0.5 iFix 1 and later versions. Users should upgrade to the latest recommended fix level as documented in the vendor security bulletin [1]. No workarounds are described for unpatched instances. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.