CVE-2019-4602

Vulnerability

IBM Quality Manager (RQM) versions 6.0.2, 6.0.6, and 6.0.6.1 contain a cross-site scripting (XSS) vulnerability in the Web UI [1]. The vulnerability allows authenticated users to embed arbitrary JavaScript code within the user interface, triggering when other users view the crafted content [1].

Exploitation

An attacker needs a valid account with access to RQM's Web UI and the ability to input or modify content that is later rendered to other users (e.g., test plans, test cases, or defect descriptions) [1]. The attacker crafts a payload containing malicious JavaScript and submits it; when a victim subsequently loads the affected page, the script executes in the context of their browser session [1]. No special network position is required beyond normal application access.

Impact

Successful exploitation can alter the intended functionality of the Web UI and potentially expose the victim's session credentials to the attacker [1]. The impact is limited by the CVSS scope change (S:C) and requires user interaction; the attacker gains the ability to perform actions on behalf of the victim within the trusted session, leading to confidentiality and integrity compromise at a low level [1].

Mitigation

IBM has not released a patch or workaround according to the advisory [1]. Affected users should apply vendor-supplied fixes if they become available, or restrict access to the RQM Web UI to trusted users only, and consider input sanitization or content security policies to reduce exploitation risk [1].