IBM Support

Security Bulletin: IBM Engineering Lifecycle Management is vulnerable to Cross-site Scripting (XSS) vulnerability (CVE-2021-39043)

Security Bulletin


Summary

Summary guidance: The Jazz Team Server is vulnerable to cross-site scripting.

Vulnerability Details

CVEID:   CVE-2021-39043
DESCRIPTION:   IBM Jazz Foundation is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214032 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Products/Versions guidance:

Affected Product(s)Version(s)
Jazz Team Server6.0.6, 6.0.6.1, 7.0, 7.0.1, 7.0.2

 

Remediation/Fixes

Remediation/Fixes guidance:

NA

  

Workarounds and Mitigations

Workarounds/Mitigation guidance:

Product(s)Version(s) number and/or range Remediation/Fix/Instructions
Jazz Team Server6.0.6, 6.0.6.1, 7.0, 7.0.1, 7.0.2

Steps:

Steps to disable external content widget:

1) On the dashboard screen of the application, the administrator can see the viewlet ID in the widget catalog (Add Widget button on a dashboard) for external content viewlet ID is com.ibm.team.dashboard.viewlets.web.external

2) There is an advanced property, Disabled Widgets. This exists for each application (/jts/admin) that is accessible to the administrator.  This is a comma-separated list of viewlet IDs so in order to disable external content administrator will have to add viewlet ID in this field. Note: The viewlet ID must be listed in the advanced property for the application that owns the viewlet here it is JTS.

3) If a viewlet ID is in the advanced property, it will no longer be listed in the Add Widget interface for all users.

4) If a viewlet ID is in the advanced property, any pre-existing instances of the viewlet in dashboards will show the message "This widget has been disabled by the administrator".

 

 

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Reference guidance:

NA

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

The vulnerability was reported to IBM by

Change History

19 May 2022: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSPRJQ","label":"IBM Engineering Lifecycle Management Base"},"Component":"","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"6.0.6, 6.0.6.1, 7.0, 7.0.1, 7.0.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

Document Information

Modified date:
30 January 2023

UID

ibm16587797

Page Feedback