CVE-2015-7471

EPSS 0.13%
Published 15.03.2018 22:29:00
Last modified 21.11.2024 02:36:51
Source psirt@us.ibm.com
Teams watchlist Login
Open Login

Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative Lifecycle Management (CLM) 3.0.1 before 3.0.1.6 iFix7 Interim Fix 1, 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Quality Manager (RQM) 3.0.x before 3.0.1.6 iFix7 Interim Fix 1, 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Team Concert (RTC) 3.0.x before 3.0.1.6 iFix7 Interim Fix 1, 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Requirements Composer (RRC) 3.0.x before 3.0.1.6 iFix7 Interim Fix 1 and 4.0.x before 4.0.7 iFix10; Rational DOORS Next Generation (RDNG) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Engineering Lifecycle Manager (RELM) 4.0.3, 4.0.4, 4.0.5, 4.0.6, and 4.0.7 before iFix10, 5.0.x before 5.0.2 iFix1, and 6.0.x before 6.0.2; Rational Rhapsody Design Manager (Rhapsody DM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; and Rational Software Architect Design Manager (RSA DM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4 allows remote authenticated users with project administrator privileges to inject arbitrary web script or HTML via a crafted project. IBM X-Force ID: 108429.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Ibm ≫ Rational Collaborative Lifecycle Management Version >= 3.0.1 <= 6.0.1

Ibm ≫ Rational Quality Manager Version >= 3.0 <= 3.0.1.6

Ibm ≫ Rational Quality Manager Version >= 4.0 <= 4.0.7

Ibm ≫ Rational Quality Manager Version5.0

Ibm ≫ Rational Quality Manager Version5.0.1

Ibm ≫ Rational Quality Manager Version5.0.2

Ibm ≫ Rational Quality Manager Version6.0

Ibm ≫ Rational Quality Manager Version6.0.1

Ibm ≫ Rational Team Concert Version >= 3.0 <= 3.0.6

Ibm ≫ Rational Team Concert Version >= 4.0 <= 4.0.7

Ibm ≫ Rational Team Concert Version5.0

Ibm ≫ Rational Team Concert Version5.0.1

Ibm ≫ Rational Team Concert Version5.0.2

Ibm ≫ Rational Team Concert Version6.0

Ibm ≫ Rational Team Concert Version6.0.1

Ibm ≫ Rational Requirements Composer Version >= 3.0 <= 3.0.1.6

Ibm ≫ Rational Requirements Composer Version >= 4.0 <= 4.0.7

Ibm ≫ Rational Doors Next Generation Version >= 4.0 <= 4.0.7

Ibm ≫ Rational Doors Next Generation Version5.0

Ibm ≫ Rational Doors Next Generation Version5.0.1

Ibm ≫ Rational Doors Next Generation Version5.0.2

Ibm ≫ Rational Doors Next Generation Version6.0.0

Ibm ≫ Rational Doors Next Generation Version6.0.1

Ibm ≫ Rational Engineering Lifecycle Manager Version >= 4.0.3 <= 4.0.7

Ibm ≫ Rational Engineering Lifecycle Manager Version5.0

Ibm ≫ Rational Engineering Lifecycle Manager Version5.0.1

Ibm ≫ Rational Engineering Lifecycle Manager Version5.0.2

Ibm ≫ Rational Engineering Lifecycle Manager Version6.0

Ibm ≫ Rational Engineering Lifecycle Manager Version6.0.1

Ibm ≫ Rational Rhapsody Design Manager Version >= 4.0 <= 4.0.7

Ibm ≫ Rational Rhapsody Design Manager Version5.0

Ibm ≫ Rational Rhapsody Design Manager Version5.0.1

Ibm ≫ Rational Rhapsody Design Manager Version5.0.2

Ibm ≫ Rational Rhapsody Design Manager Version6.0

Ibm ≫ Rational Rhapsody Design Manager Version6.0.1

Ibm ≫ Rational Software Architect Design Manager Version >= 4.0 <= 4.0.7

Ibm ≫ Rational Software Architect Design Manager Version5.0

Ibm ≫ Rational Software Architect Design Manager Version5.0.1

Ibm ≫ Rational Software Architect Design Manager Version5.0.2

Ibm ≫ Rational Software Architect Design Manager Version6.0

Ibm ≫ Rational Software Architect Design Manager Version6.0.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.13%	0.295

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.8	1.7	2.7	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:N/I:P/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://www-01.ibm.com/support/docview.wss?uid=swg21982747

Patch

Vendor Advisory

https://exchange.xforce.ibmcloud.com/vulnerabilities/108429

Vendor Advisory

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2015-7471

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2015-7471

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2015-7471

EUVD