CVE-2017-1248

Vulnerability

IBM Quality Manager (RQM) versions 5.0.x and 6.0 through 6.0.5 are affected by an HTML injection vulnerability [1]. A remote attacker can inject malicious HTML code into the application, which, when rendered in a victim's browser, executes within the security context of the hosting site [1].

Exploitation

An attacker needs a valid account on the RQM instance (low-privileged access) and must convince a victim to view a crafted page or content containing the injected HTML [1]. The attacker can inject arbitrary HTML by sending specially crafted input that is not properly sanitized [1]. No other special privileges or network position beyond standard web access is required [1].

Impact

Successful exploitation allows the attacker to execute arbitrary HTML in the victim's browser, potentially altering page content, stealing session cookies, or redirecting the user to malicious sites [1]. The impact is limited to the user's session, with CVSS 5.4 (Medium) reflecting low confidentiality and integrity impact [1].

Mitigation

IBM released fixes for CVE-2017-1248 as part of the Rational Quality Manager 6.0.5.1 and 5.0.2.7 interim fixes (or later) [1]. Users should upgrade to these fixed versions. There is no known workaround; applying the vendor-supplied fix is the recommended mitigation [1].