CVE-2017-1609

Vulnerability

IBM Rational Quality Manager (RQM) versions 5.0 through 5.0.2 and 6.0 through 6.0.6 contain a cross-site scripting (XSS) vulnerability. The flaw allows authenticated users to embed arbitrary JavaScript code in the Web UI, which is then rendered to other users during normal application use [1]. The vulnerability is classified as CVE-2017-1609 with a CVSS base score of 5.4 [1].

Exploitation

An authenticated attacker with low privileges can inject malicious script into the Web UI. The attack requires user interaction: a victim user must view the page containing the injected script. The vulnerability is exploitable over the network without requiring special access beyond standard user privileges [1]. The attacker does not need elevated rights; any user able to input data (such as test artifacts or comments) may inject the script.

Impact

Successful exploitation leads to execution of arbitrary JavaScript in the context of the victim's session within the same origin. This can result in disclosure of sensitive information, including credentials, as the malicious script can capture and exfiltrate data from the trusted session [1]. The impact is partial compromise of confidentiality and integrity (C:L, I:L, A:N) as per CVSS vector [1].

Mitigation

IBM has released fixes for affected versions: for 5.x line, upgrade to 5.0.2 iFix27 or later; for 6.0.x releases, apply 6.0.2 iFix018 or later for the 6.0.2 stream, or 6.0.6 iFix004 or later for the 6.0.6 stream [1]. No workarounds are documented. Organizations using unsupported versions should upgrade to a supported release.