IBM Engineering Requirements Management vulnerable to Cross-Site Scripting
CVE-2023-28525

4.8MEDIUM

Key Information:

Vendor: IBM
Status: Engineering Requirements Management
Vendor: CVE Published:; 1 March 2024

Summary

IBM Engineering Requirements Management 9.7.2.7 is susceptible to cross-site scripting, which enables users to inject arbitrary JavaScript code into the Web UI. This exploitation can modify the intended functionality of the user interface, posing a risk of credentials disclosure within a trusted session. As a result, attackers can potentially access confidential information during authenticated user sessions.

Affected Version(s)

Engineering Requirements Management 9.7.2.7

References

https://www.ibm.com/support/pages/node/7124058

vendor-advisory

https://exchange.xforce.ibmcloud.com/vulnerabilities/251052

vdb-entry

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 1, 2024
Vulnerability Reserved
Mar 16, 2023