製品・ソフトウェアに関する情報

JVN脆弱性詳細

複数の IBM Rational 製品におけるクロスサイトスクリプティングの脆弱性

Title	複数の IBM Rational 製品におけるクロスサイトスクリプティングの脆弱性
Summary	複数の IBM Rational 製品には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	リモート認証されたユーザにより、巧妙に細工されたフィールドを介して、任意の Web スクリプトまたは HTML を挿入される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Sept. 30, 2016, midnight
Registration Date	Nov. 28, 2016, 4:55 p.m.
Last Update	Nov. 28, 2016, 4:55 p.m.

CVSS3.0 : 警告
Score	5.4
Vector	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS2.0 : 注意
Score	3.5
Vector	AV:N/AC:M/Au:S/C:N/I:P/A:N

Affected System

IBM

Rational Collaborative Lifecycle Management 3.0.1.6 iFix8 未満の 3.0.1.6

Rational Collaborative Lifecycle Management 4.0.7 iFix11 未満の 4.0

Rational Collaborative Lifecycle Management 5.0.2 iFix18 未満の 5.0

Rational Collaborative Lifecycle Management 6.0.2 iFix5 未満の 6.0

Rational DOORS Next Generation 4.0.7 iFix11 未満の 4.0

Rational DOORS Next Generation 5.0.2 iFix18 未満の 5.0

Rational DOORS Next Generation 6.0.2 iFix5 未満の 6.0

Rational Engineering Lifecycle Manager 4.0.7 iFix11 未満の 4.0

Rational Engineering Lifecycle Manager 5.0.2 iFix18 未満の 5.0

Rational Engineering Lifecycle Manager 6.0.2 iFix5 未満の 6.0

Rational Quality Manager 3.0.1.6 iFix8 未満の 3.0.1.6

Rational Quality Manager 4.0.7 iFix11 未満の 4.0

Rational Quality Manager 5.0.2 iFix18 未満の 5.0

Rational Quality Manager 6.0.2 iFix5 未満の 6.0

Rational Rhapsody Design Manager 4.0.7 iFix11 未満の 4.0

Rational Rhapsody Design Manager 5.0.2 iFix18 未満の 5.0

Rational Rhapsody Design Manager 6.0.2 iFix5 未満の 6.0

Rational Software Architect Design Manager 4.0.7 iFix11 未満の 4.0

Rational Software Architect Design Manager 5.0.2 iFix18 未満の 5.0

Rational Software Architect Design Manager 6.0.2 iFix5 未満の 6.0

Rational Team Concert 3.0.1.6 iFix8 未満の 3.0.1.6

Rational Team Concert 4.0.7 iFix11 未満の 4.0

Rational Team Concert 5.0.2 iFix18 未満の 5.0

Rational Team Concert 6.0.2 iFix5 未満の 6.0

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2016-0285	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0285
National Vulnerability Database (NVD)
2	CVE-2016-0285	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0285

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
IBM Support Document
1	1991478	http://www-01.ibm.com/support/docview.wss?uid=swg21991478

Change Log

No	Changed Details	Date of change
0	[2016年11月28日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2016-0285

Summary	Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative Lifecycle Management 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Quality Manager 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Team Concert 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational DOORS Next Generation 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Engineering Lifecycle Manager 4.x before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Rhapsody Design Manager 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; and Rational Software Architect Design Manager 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted field.
Publication Date	Nov. 25, 2016, 4:59 a.m.
Registration Date	Jan. 26, 2021, 2:03 p.m.
Last Update	Nov. 21, 2024, 11:41 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:ibm:rational_team_concert:6.0.1:::::::*
cpe:2.3:a:ibm:rational_team_concert:4.0.0:::::::*
cpe:2.3:a:ibm:rational_team_concert:4.0.5:::::::*
cpe:2.3:a:ibm:rational_team_concert:5.0.0:::::::*
cpe:2.3:a:ibm:rational_team_concert:6.0.0:::::::*
cpe:2.3:a:ibm:rational_team_concert:6.0.2:::::::*
cpe:2.3:a:ibm:rational_team_concert:4.0.6:::::::*
cpe:2.3:a:ibm:rational_team_concert:4.0.4:::::::*
cpe:2.3:a:ibm:rational_team_concert:4.0.7:::::::*
cpe:2.3:a:ibm:rational_team_concert:4.0.1:::::::*
cpe:2.3:a:ibm:rational_team_concert:4.0.2:::::::*
cpe:2.3:a:ibm:rational_team_concert:5.0.1:::::::*
cpe:2.3:a:ibm:rational_team_concert:3.0.1.6:::::::*
cpe:2.3:a:ibm:rational_team_concert:4.0.3:::::::*
cpe:2.3:a:ibm:rational_team_concert:5.0.2:::::::*

Related information, measures and tools

No	URL	タグ
1	http://www.securityfocus.com/bid/94550
2	http://www.securityfocus.com/bid/94550
3	http://www-01.ibm.com/support/docview.wss?uid=swg21991478	Vendor Advisory
4	http://www-01.ibm.com/support/docview.wss?uid=swg21991478	Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:ibm:rational_team_concert:6.0.1:::::::*
cpe:2.3:a:ibm:rational_team_concert:4.0.0:::::::*
cpe:2.3:a:ibm:rational_team_concert:4.0.5:::::::*
cpe:2.3:a:ibm:rational_team_concert:5.0.0:::::::*
cpe:2.3:a:ibm:rational_team_concert:6.0.0:::::::*
cpe:2.3:a:ibm:rational_team_concert:6.0.2:::::::*
cpe:2.3:a:ibm:rational_team_concert:4.0.6:::::::*
cpe:2.3:a:ibm:rational_team_concert:4.0.4:::::::*
cpe:2.3:a:ibm:rational_team_concert:4.0.7:::::::*
cpe:2.3:a:ibm:rational_team_concert:4.0.1:::::::*
cpe:2.3:a:ibm:rational_team_concert:4.0.2:::::::*
cpe:2.3:a:ibm:rational_team_concert:5.0.1:::::::*
cpe:2.3:a:ibm:rational_team_concert:3.0.1.6:::::::*
cpe:2.3:a:ibm:rational_team_concert:4.0.3:::::::*
cpe:2.3:a:ibm:rational_team_concert:5.0.2:::::::*