Potential Cross-site scripting vulnerabilities affect the following IBM Rational Products: Rational Engineering Lifecycle Manager (RELM), Rational Rhapsody Design Manager (Rhapsody DM)
CVEID: CVE-2016-8975**
DESCRIPTION:** IBM Rhapsody DM and IBM Rational Engineering Lifecycle Manager are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118912 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2017-1245**
DESCRIPTION:** IBM Rhapsody Design Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124580 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2017-1249**
DESCRIPTION:** IBM Rhapsody DM is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124629 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2017-1287**
DESCRIPTION:** IBM Rhapsody DM could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125148 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N)
Rational Rhapsody Design Manager 5.0.0-5.0.2, 6.0 - 6.0.3 (Versions 6.0.4 and above are not affected)
Rational Engineering Lifecycle Manager 6.0 - 6.0.2 (Versions 6.0.3 and above are not affected)
For Rational Rhapsody Design Manager 5.0.0-5.0.2, 6.0 - 6.0.3 releases, upgrade to one of the following versions:
* Upgrade to version 5.0.2 ifix19a or later:
<https://jazz.net/downloads/design-management/releases/5.0.2iFix19a>
* Upgrade to version 6.0.3 ifix6 or later:
<https://jazz.net/downloads/design-management/releases/6.0.3iFix6>
* Or upgrade to version 6.0.2 ifix11 or later:
<https://jazz.net/downloads/design-management/releases/6.0.2iFix11> For Rational Engineering Lifecycle Manager 6.0 - 6.0.2 releases, upgrade to one of the following versions:
* Upgrade to version 6.0.3 or later:
<https://jazz.net/downloads/rational-engineering-lifecycle-manager/>
* Or upgrade to 6.0.2 ifix10 or later:
If the iFix is not found in the Fix Portal please contact IBM Support.
None