CVE-2016-9696 - OpenCVE

IBM Rhapsody DM 4.0, 5.0, and 6.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM Reference #: 1999960.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Ibm	Rational Rhapsody Design Manager

Configuration 1 [-]

OR	cpe:2.3:a:ibm:rational_rhapsody_design_manager:4.0:::::::*
	cpe:2.3:a:ibm:rational_rhapsody_design_manager:4.0.1:::::::*
	cpe:2.3:a:ibm:rational_rhapsody_design_manager:4.0.2:::::::*
	cpe:2.3:a:ibm:rational_rhapsody_design_manager:4.0.3:::::::*
	cpe:2.3:a:ibm:rational_rhapsody_design_manager:4.0.4:::::::*
	cpe:2.3:a:ibm:rational_rhapsody_design_manager:4.0.5:::::::*
	cpe:2.3:a:ibm:rational_rhapsody_design_manager:4.0.6:::::::*
	cpe:2.3:a:ibm:rational_rhapsody_design_manager:4.0.7:::::::*
	cpe:2.3:a:ibm:rational_rhapsody_design_manager:5.0:::::::*
	cpe:2.3:a:ibm:rational_rhapsody_design_manager:5.0.1:::::::*
	cpe:2.3:a:ibm:rational_rhapsody_design_manager:5.0.2:::::::*
	cpe:2.3:a:ibm:rational_rhapsody_design_manager:6.0:::::::*
	cpe:2.3:a:ibm:rational_rhapsody_design_manager:6.0.1:::::::*
	cpe:2.3:a:ibm:rational_rhapsody_design_manager:6.0.2:::::::*

References

Link	Resource
http://www.ibm.com/support/docview.wss?uid=swg21999960	Patch Vendor Advisory
http://www.securityfocus.com/bid/96830	Third Party Advisory VDB Entry

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: ibm

Published: 2017-03-20T16:00:00

Updated: 2017-03-21T09:57:01

Reserved: 2016-12-01T00:00:00

Link: CVE-2016-9696

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-03-20T16:59:01.827

Modified: 2017-03-23T13:19:36.447

Link: CVE-2016-9696

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "Rational Rhapsody Design Manager", "vendor": "IBM Corporation", "versions": [{"status": "affected", "version": "4.0.2"}, {"status": "affected", "version": "3.0"}, {"status": "affected", "version": "3.0.0.1"}, {"status": "affected", "version": "4.0"}, {"status": "affected", "version": "4.0.1"}, {"status": "affected", "version": "4.0.3"}, {"status": "affected", "version": "4.0.4"}, {"status": "affected", "version": "4.0.5"}, {"status": "affected", "version": "4.0.6"}, {"status": "affected", "version": "5.0"}, {"status": "affected", "version": "3"}, {"status": "affected", "version": "4.0.7"}, {"status": "affected", "version": "5.0.2"}, {"status": "affected", "version": "5.0.1"}, {"status": "affected", "version": "6.0"}, {"status": "affected", "version": "6.0.1"}, {"status": "affected", "version": "6.0.2"}, {"status": "affected", "version": "6.0.3"}]}], "datePublic": "2017-03-08T00:00:00", "descriptions": [{"lang": "en", "value": "IBM Rhapsody DM 4.0, 5.0, and 6.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM Reference #: 1999960."}], "problemTypes": [{"descriptions": [{"description": "Gain Access", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-03-21T09:57:01", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm"}, "references": [{"name": "96830", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/96830"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.ibm.com/support/docview.wss?uid=swg21999960"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@us.ibm.com", "ID": "CVE-2016-9696", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Rational Rhapsody Design Manager", "version": {"version_data": [{"version_value": "4.0.2"}, {"version_value": "3.0"}, {"version_value": "3.0.0.1"}, {"version_value": "4.0"}, {"version_value": "4.0.1"}, {"version_value": "4.0.3"}, {"version_value": "4.0.4"}, {"version_value": "4.0.5"}, {"version_value": "4.0.6"}, {"version_value": "5.0"}, {"version_value": "3"}, {"version_value": "4.0.7"}, {"version_value": "5.0.2"}, {"version_value": "5.0.1"}, {"version_value": "6.0"}, {"version_value": "6.0.1"}, {"version_value": "6.0.2"}, {"version_value": "6.0.3"}]}}]}, "vendor_name": "IBM Corporation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "IBM Rhapsody DM 4.0, 5.0, and 6.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM Reference #: 1999960."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Gain Access"}]}]}, "references": {"reference_data": [{"name": "96830", "refsource": "BID", "url": "http://www.securityfocus.com/bid/96830"}, {"name": "http://www.ibm.com/support/docview.wss?uid=swg21999960", "refsource": "CONFIRM", "url": "http://www.ibm.com/support/docview.wss?uid=swg21999960"}]}}}}, "cveMetadata": {"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2016-9696", "datePublished": "2017-03-20T16:00:00", "dateReserved": "2016-12-01T00:00:00", "dateUpdated": "2017-03-21T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:rational_rhapsody_design_manager:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "46883130-F370-406C-A8E8-213399F2EE47", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:rational_rhapsody_design_manager:4.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "5A13CE71-BEC0-4DEC-9CF7-183672F6729D", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:rational_rhapsody_design_manager:4.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "2DB2451D-F31E-4CF6-8E61-2970A4FB174D", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:rational_rhapsody_design_manager:4.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "01A27F4B-0ED9-479F-B91B-FCB514CF1D1B", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:rational_rhapsody_design_manager:4.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "EEAF452F-94AB-4857-BCD6-AE5251C61526", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:rational_rhapsody_design_manager:4.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "7596E71E-4507-4EFC-ABF9-41D8FD338CC3", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:rational_rhapsody_design_manager:4.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "9B201E3D-1028-4955-AFE2-AF8C14CAA182", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:rational_rhapsody_design_manager:4.0.7:*:*:*:*:*:*:*", "matchCriteriaId": "A1C966E0-6372-4CA5-902E-DEE17FC139E7", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:rational_rhapsody_design_manager:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "B12D7433-30F0-427F-BF82-0AAD492CE35D", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:rational_rhapsody_design_manager:5.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "E6E654FB-BD17-4308-9CD0-163D8DA0BD6B", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:rational_rhapsody_design_manager:5.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "64D14BEF-D1F0-4C27-87F0-8BCAD8A3E369", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:rational_rhapsody_design_manager:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "C0B9D0C8-2EB2-4209-8495-1B3B823D9A41", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:rational_rhapsody_design_manager:6.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "94EF2E53-3618-4610-AC36-602584DB26EF", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:rational_rhapsody_design_manager:6.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "EF978C93-8747-416A-890B-09575EF0BA13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "IBM Rhapsody DM 4.0, 5.0, and 6.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM Reference #: 1999960."}, {"lang": "es", "value": "IBM Rhapsody DM 4.0, 5.0, y 6.0 es vulnerable a inyecci\u00f3n de HTML. Un atacante remoto podr\u00eda inyectar c\u00f3digo HTLM malicioso HTML, que cuando se ve, ser\u00eda ejecutado en el navegador web de la v\u00edctima dentro del contexto de seguridad del sitio de alojamiento. IBM Reference #: 1999960."}], "id": "CVE-2016-9696", "lastModified": "2017-03-23T13:19:36.447", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-03-20T16:59:01.827", "references": [{"source": "psirt@us.ibm.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.ibm.com/support/docview.wss?uid=swg21999960"}, {"source": "psirt@us.ibm.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/96830"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}