Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM081F45DFF204321F9568BCD6DD8406E466EC5EB8E0B9D2328404CEC64B75FB0E
HistoryJan 30, 2023 - 9:35 a.m.

Security Bulletin: IBM Engineering Lifecycle Management is vulnerable to Cross-site Scripting (XSS) vulnerability (CVE-2021-39043)

2023-01-3009:35:41
www.ibm.com
25
ibm engineering lifecycle management
cross-site scripting
vulnerability
jazz team server
stored cross-site scripting
cvss
affected products
versions
remediation
workarounds
mitigations

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

19.6%

JSON

Summary

Summary guidance: The Jazz Team Server is vulnerable to cross-site scripting.

Vulnerability Details

CVEID:CVE-2021-39043
**DESCRIPTION:**IBM Jazz Foundation is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214032 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Products/Versions guidance:

Affected Product(s)|**Version(s)
**
—|—
Jazz Team Server| 6.0.6, 6.0.6.1, 7.0, 7.0.1, 7.0.2

Remediation/Fixes

Remediation/Fixes guidance:

NA

Workarounds and Mitigations

Workarounds/Mitigation guidance:

Product(s) **Version(s) number and/or range ** Remediation/Fix/Instructions
Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, 7.0.2

Steps:

**Steps to disable external content widget: **

  1. On the dashboard screen of the application, the administrator can see the viewlet ID in the widget catalog (Add Widget button on a dashboard) for external content viewlet ID is com.ibm.team.dashboard.viewlets.web.external

  2. There is an advanced property, Disabled Widgets. This exists for each application (/jts/admin) that is accessible to the administrator. This is a comma-separated list of viewlet IDs so in order to disable external content administrator will have to add viewlet ID in this field.Note: The viewlet ID must be listed in the advanced property for the application that owns the viewlet here it is JTS.

  3. If a viewlet ID is in the advanced property, it will no longer be listed in the Add Widget interface for all users.

  4. If a viewlet ID is in the advanced property, any pre-existing instances of the viewlet in dashboards will show the message “This widget has been disabled by the administrator”.

Affected configurations

Vulners
Node
ibmibm_engineering_lifecycle_management_baseMatch6.0.6
OR
ibmibm_engineering_lifecycle_management_baseMatch6.0.6.1
OR
ibmibm_engineering_lifecycle_management_baseMatch7.0
OR
ibmibm_engineering_lifecycle_management_baseMatch7.0.1
OR
ibmibm_engineering_lifecycle_management_baseMatch7.0.2
VendorProductVersionCPE
ibmibm_engineering_lifecycle_management_base6.0.6cpe:2.3:a:ibm:ibm_engineering_lifecycle_management_base:6.0.6:*:*:*:*:*:*:*
ibmibm_engineering_lifecycle_management_base6.0.6.1cpe:2.3:a:ibm:ibm_engineering_lifecycle_management_base:6.0.6.1:*:*:*:*:*:*:*
ibmibm_engineering_lifecycle_management_base7.0cpe:2.3:a:ibm:ibm_engineering_lifecycle_management_base:7.0:*:*:*:*:*:*:*
ibmibm_engineering_lifecycle_management_base7.0.1cpe:2.3:a:ibm:ibm_engineering_lifecycle_management_base:7.0.1:*:*:*:*:*:*:*
ibmibm_engineering_lifecycle_management_base7.0.2cpe:2.3:a:ibm:ibm_engineering_lifecycle_management_base:7.0.2:*:*:*:*:*:*:*

Related

prion 1
cnvd 1
cvelist 1
nvd 1
cve 1
prion
prion
Cross site scripting
2022-05-20 17:15:00
cnvd
cnvd
IBM Jazz Team Server Cross-Site Scripting Vulnerability (CNVD-2022-66257)
2022-05-24 00:00:00
cvelist
cvelist
CVE-2021-39043
2022-05-20 16:20:17
nvd
nvd
CVE-2021-39043
2022-05-20 17:15:07
cve
cve
CVE-2021-39043
2022-05-20 17:15:07

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

19.6%

JSON
Related for 081F45DFF204321F9568BCD6DD8406E466EC5EB8E0B9D2328404CEC64B75FB0E
prion1cnvd1cvelist1nvd1cve1