Vulnerability Name:

CVE-2015-7453 (CCN-108296)

Assigned:2015-09-29
Published:2016-05-10
Updated:2018-04-10
Summary:Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative Lifecycle Management (CLM) 3.0.1 before 3.0.1.6 iFix7 Interim Fix 1, 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Quality Manager (RQM) 3.0.x before 3.0.1.6 iFix7 Interim Fix 1, 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Team Concert (RTC) 3.0.x before 3.0.1.6 iFix7 Interim Fix 1, 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Requirements Composer (RRC) 3.0.x before 3.0.1.6 iFix7 Interim Fix 1 and 4.0.x before 4.0.7 iFix10; Rational DOORS Next Generation (RDNG) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Engineering Lifecycle Manager (RELM) 4.0.3, 4.0.4, 4.0.5, 4.0.6, and 4.0.7 before iFix10, 5.0.x before 5.0.2 iFix1, and 6.0.x before 6.0.2; Rational Rhapsody Design Manager (Rhapsody DM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; and Rational Software Architect Design Manager (RSA DM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 108296.
CVSS v3 Severity:6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): 
Attack Complexity (AC): 
Privileges Required (PR): 
User Interaction (UI): 
Scope:Scope (S): 
Impact Metrics:Confidentiality (C): 
Integrity (I): 
Availibility (A): 
6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): 
Attack Complexity (AC): 
Privileges Required (PR): 
User Interaction (UI): 
Scope:Scope (S): 
Impact Metrics:Confidentiality (C): 
Integrity (I): 
Availibility (A): 
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Cross-Site Scripting
References:Source: MITRE
Type: CNA
CVE-2015-7453

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21982747

Source: CCN
Type: IBM Security Bulletin 1982747 (Rational Collaborative Lifecycle Management)
Vulnerabilities affect multiple IBM Rational products based on IBM Jazz technology (CVE-2015-7440, CVE-2015-7453, CVE-2015-7471)

Source: XF
Type: UNKNOWN
ibm-jazz-cve20157453-xss(108296)

Source: XF
Type: VDB Entry, Vendor Advisory
ibm-jazz-cve20157453-xss(108296)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ibm:rational_collaborative_lifecycle_management:*:*:*:*:*:*:*:* (Version >= 3.0.1 and <= 6.0.1)

    • Configuration 2:
  • cpe:/a:ibm:rational_quality_manager:*:*:*:*:*:*:*:* (Version >= 3.0 and <= 3.0.1.6)
  • OR cpe:/a:ibm:rational_quality_manager:*:*:*:*:*:*:*:* (Version >= 4.0 and <= 4.0.7)
  • OR cpe:/a:ibm:rational_quality_manager:5.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_quality_manager:5.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_quality_manager:5.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_quality_manager:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_quality_manager:6.0.1:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/a:ibm:rational_team_concert:*:*:*:*:*:*:*:* (Version >= 3.0 and <= 3.0.6)
  • OR cpe:/a:ibm:rational_team_concert:*:*:*:*:*:*:*:* (Version >= 4.0 and <= 4.0.7)
  • OR cpe:/a:ibm:rational_team_concert:5.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_team_concert:5.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_team_concert:5.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_team_concert:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_team_concert:6.0.1:*:*:*:*:*:*:*

    • Configuration 4:
  • cpe:/a:ibm:rational_requirements_composer:*:*:*:*:*:*:*:* (Version >= 3.0 and <= 3.0.1.6)
  • OR cpe:/a:ibm:rational_requirements_composer:*:*:*:*:*:*:*:* (Version >= 4.0 and <= 4.0.7)

    • Configuration 5:
  • cpe:/a:ibm:rational_doors_next_generation:*:*:*:*:*:*:*:* (Version >= 4.0 and <= 4.0.7)
  • OR cpe:/a:ibm:rational_doors_next_generation:5.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_doors_next_generation:5.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_doors_next_generation:5.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_doors_next_generation:6.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_doors_next_generation:6.0.1:*:*:*:*:*:*:*

    • Configuration 6:
  • cpe:/a:ibm:rational_engineering_lifecycle_manager:*:*:*:*:*:*:*:* (Version >= 4.0.3 and <= 4.0.7)
  • OR cpe:/a:ibm:rational_engineering_lifecycle_manager:5.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_engineering_lifecycle_manager:5.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_engineering_lifecycle_manager:5.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_engineering_lifecycle_manager:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_engineering_lifecycle_manager:6.0.1:*:*:*:*:*:*:*

    • Configuration 7:
  • cpe:/a:ibm:rational_rhapsody_design_manager:*:*:*:*:*:*:*:* (Version >= 4.0 and <= 4.0.7)
  • OR cpe:/a:ibm:rational_rhapsody_design_manager:5.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_rhapsody_design_manager:5.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_rhapsody_design_manager:5.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.1:*:*:*:*:*:*:*

    • Configuration 8:
  • cpe:/a:ibm:rational_software_architect_design_manager:*:*:*:*:*:*:*:* (Version >= 4.0 and <= 4.0.7)
  • OR cpe:/a:ibm:rational_software_architect_design_manager:5.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_software_architect_design_manager:5.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_software_architect_design_manager:5.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_software_architect_design_manager:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_software_architect_design_manager:6.0.1:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:rational_collaborative_lifecycle_management:3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:3.0.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:5.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:5.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:5.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.1:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Vulnerability Name:

    CVE-2015-7453 (CCN-112571)

    Assigned:2013-07-05
    Published:2013-07-05
    Updated:2018-04-10
    Summary:Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative Lifecycle Management (CLM) 3.0.1 before 3.0.1.6 iFix7 Interim Fix 1, 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Quality Manager (RQM) 3.0.x before 3.0.1.6 iFix7 Interim Fix 1, 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Team Concert (RTC) 3.0.x before 3.0.1.6 iFix7 Interim Fix 1, 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Requirements Composer (RRC) 3.0.x before 3.0.1.6 iFix7 Interim Fix 1 and 4.0.x before 4.0.7 iFix10; Rational DOORS Next Generation (RDNG) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Engineering Lifecycle Manager (RELM) 4.0.3, 4.0.4, 4.0.5, 4.0.6, and 4.0.7 before iFix10, 5.0.x before 5.0.2 iFix1, and 6.0.x before 6.0.2; Rational Rhapsody Design Manager (Rhapsody DM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; and Rational Software Architect Design Manager (RSA DM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 108296.
    CVSS v3 Severity:6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
    5.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
    Exploitability Metrics:Attack Vector (AV): 
    Attack Complexity (AC): 
    Privileges Required (PR): 
    User Interaction (UI): 
    Scope:Scope (S): 
    Impact Metrics:Confidentiality (C): 
    Integrity (I): 
    Availibility (A): 
    5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
    5.1 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H/RL:O/RC:C)
    Exploitability Metrics:Attack Vector (AV): 
    Attack Complexity (AC): 
    Privileges Required (PR): 
    User Interaction (UI): 
    Scope:Scope (S): 
    Impact Metrics:Confidentiality (C): 
    Integrity (I): 
    Availibility (A): 
    CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
    3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
    Exploitability Metrics:Access Vector (AV): Network
    Access Complexity (AC): Medium
    Authentication (Au): None
    Impact Metrics:Confidentiality (C): None
    Integrity (I): Partial
    Availibility (A): None
    4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
    3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
    Exploitability Metrics:Access Vector (AV): Network
    Access Complexity (AC): Medium
    Athentication (Au): None
    Impact Metrics:Confidentiality (C): None
    Integrity (I): Partial
    Availibility (A): None
    Vulnerability Type:CWE-79
    Vulnerability Consequences:Cross-Site Scripting
    References:Source: MITRE
    Type: CNA
    CVE-2015-7453

    Source: CCN
    Type: Node.js Web site
    Node.js

    Source: CCN
    Type: oss-sec Mailing List, Wed, 20 Apr 2016 17:16:24 -0400 (EDT)
    various vulnerabilities in Node.js packages

    Source: XF
    Type: UNKNOWN
    nodejs-cve20157453-filter-bypass(112571)

    Source: CCN
    Type: Node Security Web site
    Multiple XSS Filter Bypasses

    BACK
    ibm rational collaborative lifecycle management *
    ibm rational quality manager *
    ibm rational quality manager *
    ibm rational quality manager 5.0
    ibm rational quality manager 5.0.1
    ibm rational quality manager 5.0.2
    ibm rational quality manager 6.0
    ibm rational quality manager 6.0.1
    ibm rational team concert *
    ibm rational team concert *
    ibm rational team concert 5.0
    ibm rational team concert 5.0.1
    ibm rational team concert 5.0.2
    ibm rational team concert 6.0
    ibm rational team concert 6.0.1
    ibm rational requirements composer *
    ibm rational requirements composer *
    ibm rational doors next generation *
    ibm rational doors next generation 5.0
    ibm rational doors next generation 5.0.1
    ibm rational doors next generation 5.0.2
    ibm rational doors next generation 6.0.0
    ibm rational doors next generation 6.0.1
    ibm rational engineering lifecycle manager *
    ibm rational engineering lifecycle manager 5.0
    ibm rational engineering lifecycle manager 5.0.1
    ibm rational engineering lifecycle manager 5.0.2
    ibm rational engineering lifecycle manager 6.0
    ibm rational engineering lifecycle manager 6.0.1
    ibm rational rhapsody design manager *
    ibm rational rhapsody design manager 5.0
    ibm rational rhapsody design manager 5.0.1
    ibm rational rhapsody design manager 5.0.2
    ibm rational rhapsody design manager 6.0
    ibm rational rhapsody design manager 6.0.1
    ibm rational software architect design manager *
    ibm rational software architect design manager 5.0
    ibm rational software architect design manager 5.0.1
    ibm rational software architect design manager 5.0.2
    ibm rational software architect design manager 6.0
    ibm rational software architect design manager 6.0.1
    ibm rational collaborative lifecycle management 3.0.1
    ibm rational collaborative lifecycle management 4.0
    ibm rational collaborative lifecycle management 3.0.1.6
    ibm rational collaborative lifecycle management 4.0.1
    ibm rational collaborative lifecycle management 4.0.2
    ibm rational collaborative lifecycle management 4.0.3
    ibm rational collaborative lifecycle management 4.0.4
    ibm rational collaborative lifecycle management 4.0.5
    ibm rational collaborative lifecycle management 4.0.6
    ibm rational collaborative lifecycle management 5.0
    ibm rational collaborative lifecycle management 4.0.7
    ibm rational collaborative lifecycle management 5.0.1
    ibm rational collaborative lifecycle management 5.0.2
    ibm rational collaborative lifecycle management 6.0
    ibm rational collaborative lifecycle management 6.0.1