CVE-2017-1329

Vulnerability

IBM Quality Manager (RQM) versions 5.0.x and 6.0 through 6.0.5 are vulnerable to HTML injection [1]. The vulnerability allows a remote attacker to inject malicious HTML code into the application. The affected versions are explicitly listed in the advisory.

Exploitation

An attacker needs low-privileged access (PR:L) and user interaction (UI:R) to exploit this vulnerability [1]. The attacker can inject HTML code that, when viewed by a victim, executes in the victim's browser within the security context of the hosting site. The attack vector is network (AV:N) with low complexity (AC:L) [1].

Impact

Successful exploitation leads to limited impact on confidentiality and integrity (C:L/I:L) [1]. The attacker can execute arbitrary HTML in the victim's browser, potentially altering the intended functionality or leading to credential disclosure within a trusted session. The scope is changed (S:C) meaning the impact extends beyond the vulnerable component [1].

Mitigation

IBM has released a fix as part of IBM Rational Quality Manager 6.0.5.1 or later [1]. Users should upgrade to the latest version. No workaround is mentioned in the advisory. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog as of the publication date.