cnvd - cnvd-2016-03210

cnvd-2016-03210

Vulnerability from cnvd

Title: 多款IBM Rational产品跨站脚本漏洞

Description:

IBM Rational Collaborative Lifecycle Management（CLM）等都是美国IBM公司的产品。IBM Rational CLM、Rational Team Concert（RTC）和Rational Engineering Lifecycle Manager都是协作化生命周期管理解决方案；Rational Quality Manager（RQM）是一套协作的、基于Web的质量管理解决方案；Rational Requirements Composer和Rational DOORS Next Generation都是需求管理解决方案。

多款IBM Rational产品中存在跨站脚本漏洞，远程攻击者可借助特制的URL，利用该漏洞注入任意Web脚本或HTML。

Severity: 中

Patch Name: 多款IBM Rational产品跨站脚本漏洞的补丁

Patch Description:

多款IBM Rational产品中存在跨站脚本漏洞，远程攻击者可借助特制的URL，利用该漏洞注入任意Web脚本或HTML。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： http://www-01.ibm.com/support/docview.wss?uid=swg21982747

Reference: http://www-01.ibm.com/support/docview.wss?uid=swg21982747

Impacted products

Name
['IBM Rational Quality Manager 3.0 - 3.0.1.6', 'IBM Rational Team Concert 3.0 - 3.0.1.6', 'IBM Rational Team Concert 4.0 - 4.0.4', 'IBM Rational Quality Manager 4.0 - 4.0.7', 'IBM Rational Quality Manager 5.0 - 5.0.2', 'IBM Rational Engineering Lifecycle Manager 4.0.3 - 4.0.7', 'IBM Rational Engineering Lifecycle Manager 5.0 - 5.0.2', 'IBM Rational Rhapsody Design Manager 4.0 - 4.0.7', 'IBM Rational Rhapsody Design Manager 5.0 - 5.0.2', 'IBM Rational Software Architect Design Manager 4.0 - 4.0.7', 'IBM Rational Software Architect Design Manager 5.0 - 5.0.2', 'IBM Rational Collaborative Lifecycle Management 3.0.1 - 6.0.1', 'IBM Rational Quality Manager 6.0 - 6.0.1', 'IBM Rational Team Concert 5.0 - 5.0.2', 'IBM Rational Team Concert 6.0 - 6.0.1', 'IBM Rational Requirements Composer 3.0 - 3.0.1.6', 'IBM Rational Requirements Composer 4.0 - 4.0.7', 'IBM Rational DOORS Next Generation 4.0 - 4.0.7', 'IBM Rational DOORS Next Generation 5.0 - 5.0.2', 'IBM Rational DOORS Next Generation 6.0 - 6.0.1', 'IBM Rational Engineering Lifecycle Manager 6.0 - 6.0.1', 'IBM Rational Rhapsody Design Manager 6.0 - 6.0.1', 'IBM Rational Software Architect Design Manager 6.0 - 6.0.1']

Name

['IBM Rational Quality Manager 3.0 - 3.0.1.6', 'IBM Rational Team Concert 3.0 - 3.0.1.6', 'IBM Rational Team Concert 4.0 - 4.0.4', 'IBM Rational Quality Manager 4.0 - 4.0.7', 'IBM Rational Quality Manager 5.0 - 5.0.2', 'IBM Rational Engineering Lifecycle Manager 4.0.3 - 4.0.7', 'IBM Rational Engineering Lifecycle Manager 5.0 - 5.0.2', 'IBM Rational Rhapsody Design Manager 4.0 - 4.0.7', 'IBM Rational Rhapsody Design Manager 5.0 - 5.0.2', 'IBM Rational Software Architect Design Manager 4.0 - 4.0.7', 'IBM Rational Software Architect Design Manager 5.0 - 5.0.2', 'IBM Rational Collaborative Lifecycle Management 3.0.1 - 6.0.1', 'IBM Rational Quality Manager 6.0 - 6.0.1', 'IBM Rational Team Concert 5.0 - 5.0.2', 'IBM Rational Team Concert 6.0 - 6.0.1', 'IBM Rational Requirements Composer 3.0 - 3.0.1.6', 'IBM Rational Requirements Composer 4.0 - 4.0.7', 'IBM Rational DOORS Next Generation 4.0 - 4.0.7', 'IBM Rational DOORS Next Generation 5.0 - 5.0.2', 'IBM Rational DOORS Next Generation 6.0 - 6.0.1', 'IBM Rational Engineering Lifecycle Manager 6.0 - 6.0.1', 'IBM Rational Rhapsody Design Manager 6.0 - 6.0.1', 'IBM Rational Software Architect Design Manager 6.0 - 6.0.1']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-7453"
    }
  },
  "description": "IBM Rational Collaborative Lifecycle Management\uff08CLM\uff09\u7b49\u90fd\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4ea7\u54c1\u3002IBM Rational CLM\u3001Rational Team Concert\uff08RTC\uff09\u548cRational Engineering Lifecycle Manager\u90fd\u662f\u534f\u4f5c\u5316\u751f\u547d\u5468\u671f\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\uff1bRational Quality Manager\uff08RQM\uff09\u662f\u4e00\u5957\u534f\u4f5c\u7684\u3001\u57fa\u4e8eWeb\u7684\u8d28\u91cf\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\uff1bRational Requirements Composer\u548cRational DOORS Next Generation\u90fd\u662f\u9700\u6c42\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\n\u591a\u6b3eIBM Rational\u4ea7\u54c1\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236\u7684URL\uff0c\u5229\u7528\u8be5\u6f0f\u6d1e\u6ce8\u5165\u4efb\u610fWeb\u811a\u672c\u6216HTML\u3002",
  "discovererName": "IBM",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttp://www-01.ibm.com/support/docview.wss?uid=swg21982747",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-03210",
  "openTime": "2016-05-17",
  "patchDescription": "IBM Rational Collaborative Lifecycle Management\uff08CLM\uff09\u7b49\u90fd\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4ea7\u54c1\u3002IBM Rational CLM\u3001Rational Team Concert\uff08RTC\uff09\u548cRational Engineering Lifecycle Manager\u90fd\u662f\u534f\u4f5c\u5316\u751f\u547d\u5468\u671f\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\uff1bRational Quality Manager\uff08RQM\uff09\u662f\u4e00\u5957\u534f\u4f5c\u7684\u3001\u57fa\u4e8eWeb\u7684\u8d28\u91cf\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\uff1bRational Requirements Composer\u548cRational DOORS Next Generation\u90fd\u662f\u9700\u6c42\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\n\u591a\u6b3eIBM Rational\u4ea7\u54c1\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236\u7684URL\uff0c\u5229\u7528\u8be5\u6f0f\u6d1e\u6ce8\u5165\u4efb\u610fWeb\u811a\u672c\u6216HTML\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "\u591a\u6b3eIBM Rational\u4ea7\u54c1\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "IBM Rational Quality Manager  3.0 - 3.0.1.6",
      "IBM Rational Team Concert  3.0 - 3.0.1.6",
      "IBM Rational Team Concert  4.0 - 4.0.4",
      "IBM Rational Quality Manager 4.0 - 4.0.7",
      "IBM Rational Quality Manager 5.0 - 5.0.2",
      "IBM Rational Engineering Lifecycle Manager 4.0.3 - 4.0.7",
      "IBM Rational Engineering Lifecycle Manager 5.0 - 5.0.2",
      "IBM Rational Rhapsody Design Manager 4.0 - 4.0.7",
      "IBM Rational Rhapsody Design Manager 5.0 - 5.0.2",
      "IBM Rational Software Architect Design Manager 4.0 - 4.0.7",
      "IBM Rational Software Architect Design Manager 5.0 - 5.0.2",
      "IBM Rational Collaborative Lifecycle Management 3.0.1 - 6.0.1",
      "IBM Rational Quality Manager 6.0 - 6.0.1",
      "IBM Rational Team Concert 5.0 - 5.0.2",
      "IBM Rational Team Concert 6.0 - 6.0.1",
      "IBM Rational Requirements Composer 3.0 - 3.0.1.6",
      "IBM Rational Requirements Composer 4.0 - 4.0.7",
      "IBM  Rational DOORS Next Generation 4.0 - 4.0.7",
      "IBM  Rational DOORS Next Generation 5.0 - 5.0.2",
      "IBM  Rational DOORS Next Generation 6.0 - 6.0.1",
      "IBM Rational Engineering Lifecycle Manager 6.0 - 6.0.1",
      "IBM Rational Rhapsody Design Manager 6.0 - 6.0.1",
      "IBM Rational Software Architect Design Manager 6.0 - 6.0.1"
    ]
  },
  "referenceLink": "http://www-01.ibm.com/support/docview.wss?uid=swg21982747",
  "serverity": "\u4e2d",
  "submitTime": "2016-05-13",
  "title": "\u591a\u6b3eIBM Rational\u4ea7\u54c1\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2015-7453 (GCVE-0-2015-7453)

Vulnerability from cvelistv5

Published

2018-03-15 22:00

Modified

2024-08-06 07:51

Severity ?

CWE

Summary

Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative Lifecycle Management (CLM) 3.0.1 before 3.0.1.6 iFix7 Interim Fix 1, 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Quality Manager (RQM) 3.0.x before 3.0.1.6 iFix7 Interim Fix 1, 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Team Concert (RTC) 3.0.x before 3.0.1.6 iFix7 Interim Fix 1, 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Requirements Composer (RRC) 3.0.x before 3.0.1.6 iFix7 Interim Fix 1 and 4.0.x before 4.0.7 iFix10; Rational DOORS Next Generation (RDNG) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Engineering Lifecycle Manager (RELM) 4.0.3, 4.0.4, 4.0.5, 4.0.6, and 4.0.7 before iFix10, 5.0.x before 5.0.2 iFix1, and 6.0.x before 6.0.2; Rational Rhapsody Design Manager (Rhapsody DM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; and Rational Software Architect Design Manager (RSA DM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 108296.

References

▼	URL	Tags
	http://www-01.ibm.com/support/docview.wss?uid=swg21982747	x_refsource_CONFIRM
	https://exchange.xforce.ibmcloud.com/vulnerabilities/108296	vdb-entry, x_refsource_XF

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T07:51:27.540Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21982747"
          },
          {
            "name": "ibm-jazz-cve20157453-xss(108296)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/108296"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-05-24T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative Lifecycle Management (CLM) 3.0.1 before 3.0.1.6 iFix7 Interim Fix 1, 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Quality Manager (RQM) 3.0.x before 3.0.1.6 iFix7 Interim Fix 1, 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Team Concert (RTC) 3.0.x before 3.0.1.6 iFix7 Interim Fix 1, 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Requirements Composer (RRC) 3.0.x before 3.0.1.6 iFix7 Interim Fix 1 and 4.0.x before 4.0.7 iFix10; Rational DOORS Next Generation (RDNG) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Engineering Lifecycle Manager (RELM) 4.0.3, 4.0.4, 4.0.5, 4.0.6, and 4.0.7 before iFix10, 5.0.x before 5.0.2 iFix1, and 6.0.x before 6.0.2; Rational Rhapsody Design Manager (Rhapsody DM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; and Rational Software Architect Design Manager (RSA DM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 108296."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-03-15T21:57:01",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21982747"
        },
        {
          "name": "ibm-jazz-cve20157453-xss(108296)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/108296"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@us.ibm.com",
          "ID": "CVE-2015-7453",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative Lifecycle Management (CLM) 3.0.1 before 3.0.1.6 iFix7 Interim Fix 1, 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Quality Manager (RQM) 3.0.x before 3.0.1.6 iFix7 Interim Fix 1, 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Team Concert (RTC) 3.0.x before 3.0.1.6 iFix7 Interim Fix 1, 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Requirements Composer (RRC) 3.0.x before 3.0.1.6 iFix7 Interim Fix 1 and 4.0.x before 4.0.7 iFix10; Rational DOORS Next Generation (RDNG) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Engineering Lifecycle Manager (RELM) 4.0.3, 4.0.4, 4.0.5, 4.0.6, and 4.0.7 before iFix10, 5.0.x before 5.0.2 iFix1, and 6.0.x before 6.0.2; Rational Rhapsody Design Manager (Rhapsody DM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; and Rational Software Architect Design Manager (RSA DM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 108296."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21982747",
              "refsource": "CONFIRM",
              "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21982747"
            },
            {
              "name": "ibm-jazz-cve20157453-xss(108296)",
              "refsource": "XF",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/108296"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2015-7453",
    "datePublished": "2018-03-15T22:00:00",
    "dateReserved": "2015-09-29T00:00:00",
    "dateUpdated": "2024-08-06T07:51:27.540Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted