Vulnerability Name: CVE-2015-7471 (CCN-108429) Assigned: 2015-09-29 Published: 2016-05-10 Updated: 2018-04-10 Summary: Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative Lifecycle Management (CLM) 3.0.1 before 3.0.1.6 iFix7 Interim Fix 1, 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Quality Manager (RQM) 3.0.x before 3.0.1.6 iFix7 Interim Fix 1, 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Team Concert (RTC) 3.0.x before 3.0.1.6 iFix7 Interim Fix 1, 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Requirements Composer (RRC) 3.0.x before 3.0.1.6 iFix7 Interim Fix 1 and 4.0.x before 4.0.7 iFix10; Rational DOORS Next Generation (RDNG) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Engineering Lifecycle Manager (RELM) 4.0.3, 4.0.4, 4.0.5, 4.0.6, and 4.0.7 before iFix10, 5.0.x before 5.0.2 iFix1, and 6.0.x before 6.0.2; Rational Rhapsody Design Manager (Rhapsody DM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; and Rational Software Architect Design Manager (RSA DM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4 allows remote authenticated users with project administrator privileges to inject arbitrary web script or HTML via a crafted project. IBM X-Force ID: 108429. CVSS v3 Severity: 4.8 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N )4.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): HighUser Interaction (UI): RequiredScope: Scope (S): ChangedImpact Metrics: Confidentiality (C): LowIntegrity (I): LowAvailibility (A): None
4.8 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N )4.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): HighUser Interaction (UI): RequiredScope: Scope (S): ChangedImpact Metrics: Confidentiality (C): LowIntegrity (I): LowAvailibility (A): None
CVSS v2 Severity: 3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
4.7 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:M/C:P/I:P/A:N )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): Multiple_InstancesImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): None
Vulnerability Type: CWE-79 Vulnerability Consequences: Gain Access References: Source: MITRE Type: CNACVE-2015-7471 Source: CONFIRM Type: Patch, Vendor Advisoryhttp://www-01.ibm.com/support/docview.wss?uid=swg21982747 Source: CCN Type: IBM Security Bulletin 1982747 (Rational Collaborative Lifecycle Management)Vulnerabilities affect multiple IBM Rational products based on IBM Jazz technology (CVE-2015-7440, CVE-2015-7453, CVE-2015-7471) Source: XF Type: UNKNOWNibm-rtc-cve20157471-html-injection(108429) Source: XF Type: VDB Entry, Vendor Advisoryibm-rtc-cve20157471-html-injection(108429) Vulnerable Configuration: Configuration 1 :cpe:/a:ibm:rational_collaborative_lifecycle_management:*:*:*:*:*:*:*:* (Version >= 3.0.1 and <= 6.0.1)Configuration 2 :cpe:/a:ibm:rational_quality_manager:*:*:*:*:*:*:*:* (Version >= 3.0 and <= 3.0.1.6)OR cpe:/a:ibm:rational_quality_manager:*:*:*:*:*:*:*:* (Version >= 4.0 and <= 4.0.7) OR cpe:/a:ibm:rational_quality_manager:5.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_quality_manager:5.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_quality_manager:5.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_quality_manager:6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_quality_manager:6.0.1:*:*:*:*:*:*:* Configuration 3 :cpe:/a:ibm:rational_team_concert:*:*:*:*:*:*:*:* (Version >= 3.0 and <= 3.0.6)OR cpe:/a:ibm:rational_team_concert:*:*:*:*:*:*:*:* (Version >= 4.0 and <= 4.0.7) OR cpe:/a:ibm:rational_team_concert:5.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_team_concert:5.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_team_concert:5.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_team_concert:6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_team_concert:6.0.1:*:*:*:*:*:*:* Configuration 4 :cpe:/a:ibm:rational_requirements_composer:*:*:*:*:*:*:*:* (Version >= 3.0 and <= 3.0.1.6)OR cpe:/a:ibm:rational_requirements_composer:*:*:*:*:*:*:*:* (Version >= 4.0 and <= 4.0.7) Configuration 5 :cpe:/a:ibm:rational_doors_next_generation:*:*:*:*:*:*:*:* (Version >= 4.0 and <= 4.0.7)OR cpe:/a:ibm:rational_doors_next_generation:5.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_doors_next_generation:5.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_doors_next_generation:5.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_doors_next_generation:6.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_doors_next_generation:6.0.1:*:*:*:*:*:*:* Configuration 6 :cpe:/a:ibm:rational_engineering_lifecycle_manager:*:*:*:*:*:*:*:* (Version >= 4.0.3 and <= 4.0.7)OR cpe:/a:ibm:rational_engineering_lifecycle_manager:5.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_engineering_lifecycle_manager:5.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_engineering_lifecycle_manager:5.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_engineering_lifecycle_manager:6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_engineering_lifecycle_manager:6.0.1:*:*:*:*:*:*:* Configuration 7 :cpe:/a:ibm:rational_rhapsody_design_manager:*:*:*:*:*:*:*:* (Version >= 4.0 and <= 4.0.7)OR cpe:/a:ibm:rational_rhapsody_design_manager:5.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_rhapsody_design_manager:5.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_rhapsody_design_manager:5.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.1:*:*:*:*:*:*:* Configuration 8 :cpe:/a:ibm:rational_software_architect_design_manager:*:*:*:*:*:*:*:* (Version >= 4.0 and <= 4.0.7)OR cpe:/a:ibm:rational_software_architect_design_manager:5.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_software_architect_design_manager:5.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_software_architect_design_manager:5.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_software_architect_design_manager:6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_software_architect_design_manager:6.0.1:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:ibm:rational_collaborative_lifecycle_management:3.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:3.0.1.6:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.4:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.5:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.6:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:5.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.7:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:5.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:5.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.1:*:*:*:*:*:*:* Denotes that component is vulnerable BACK
ibm rational collaborative lifecycle management *
ibm rational quality manager *
ibm rational quality manager *
ibm rational quality manager 5.0
ibm rational quality manager 5.0.1
ibm rational quality manager 5.0.2
ibm rational quality manager 6.0
ibm rational quality manager 6.0.1
ibm rational team concert *
ibm rational team concert *
ibm rational team concert 5.0
ibm rational team concert 5.0.1
ibm rational team concert 5.0.2
ibm rational team concert 6.0
ibm rational team concert 6.0.1
ibm rational requirements composer *
ibm rational requirements composer *
ibm rational doors next generation *
ibm rational doors next generation 5.0
ibm rational doors next generation 5.0.1
ibm rational doors next generation 5.0.2
ibm rational doors next generation 6.0.0
ibm rational doors next generation 6.0.1
ibm rational engineering lifecycle manager *
ibm rational engineering lifecycle manager 5.0
ibm rational engineering lifecycle manager 5.0.1
ibm rational engineering lifecycle manager 5.0.2
ibm rational engineering lifecycle manager 6.0
ibm rational engineering lifecycle manager 6.0.1
ibm rational rhapsody design manager *
ibm rational rhapsody design manager 5.0
ibm rational rhapsody design manager 5.0.1
ibm rational rhapsody design manager 5.0.2
ibm rational rhapsody design manager 6.0
ibm rational rhapsody design manager 6.0.1
ibm rational software architect design manager *
ibm rational software architect design manager 5.0
ibm rational software architect design manager 5.0.1
ibm rational software architect design manager 5.0.2
ibm rational software architect design manager 6.0
ibm rational software architect design manager 6.0.1
ibm rational collaborative lifecycle management 3.0.1
ibm rational collaborative lifecycle management 4.0
ibm rational collaborative lifecycle management 3.0.1.6
ibm rational collaborative lifecycle management 4.0.1
ibm rational collaborative lifecycle management 4.0.2
ibm rational collaborative lifecycle management 4.0.3
ibm rational collaborative lifecycle management 4.0.4
ibm rational collaborative lifecycle management 4.0.5
ibm rational collaborative lifecycle management 4.0.6
ibm rational collaborative lifecycle management 5.0
ibm rational collaborative lifecycle management 4.0.7
ibm rational collaborative lifecycle management 5.0.1
ibm rational collaborative lifecycle management 5.0.2
ibm rational collaborative lifecycle management 6.0
ibm rational collaborative lifecycle management 6.0.1