At the beginning of this year, I discovered and reported a Cross-Site Scripting (XSS) vulnerability in IBM Rational Collaborative Lifecycle Management (CLM). This month IBM released a security bulletin that contains the fix for this vulnerability.
In this blog, I want to share the details of this vulnerability.
To reproduce this vulnerability, you can follow the steps below:
Figure 1. Create a new account
Figure 2. Deploy a process template
Figure 3. Fill the "Project Area Name" field with the PoC
Figure 4. Injected code is executed
Figure 5. Injected code is contained in generated web page
According to our tests, this XSS vulnerability works on Chrome and IE 11 browsers. It is a stored XSS vulnerability, meaning that the injected code is permanently stored on the vulnerable target server. When a victim navigates to the affected web page in a browser, the injected XSS code will then be served as part of the web page. This means that victims will inadvertently end-up executing the malicious code once the web page is viewed in a browser.
The XSS vulnerability is caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script code in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
All users of CLM are encouraged to upgrade to the latest version of the CLM software immediately. Additionally, organizations that have deployed Fortinet IPS solutions are already protected from this vulnerability with the signature IBM.Collaborative.Lifecycle.Management.XSS.