You are not logged in. Click here to log in.

codebeamer Application Lifecycle Management (ALM)

Search In Project

Search inClear

Tags:  Security

Security Vulnerabilities Identified in Codebeamer - CVE-2023-4296

Applies To

  • Codebeamer v22.10-SP7 or lower
  • Codebeamer v22.04-SP5 or lower
  • Codebeamer v21.09-SP13 or lower

Description

Reflected Cross-Site Scripting (XSS) Vulnerability (CVE-2023-4296) may allow an attacker to inject arbitrary JavaScript code, which could be executed in the victim's browser upon clicking on a malicious link.

  • CVSS 3.1 Score: 8.8 High
  • CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
  • Common Vulnerabilities and Exposures: CVE-2023-4296
  • Researcher Attribution: Niklas Schilling - sec-consult.com

Note that PTC neither has indication nor has been made aware that this vulnerability has been or is being exploited.

Resolution

  • Codebeamer customers will need to upgrade to at least 22.10-SP8, 22.04-SP6, or 21.09-SP14 to mitigate the risk of this vulnerability.
  • PTC strongly recommends all customers consistently update to the most recent versions to ensure you receive the benefit of the latest security improvements and patches, as well as product improvements.
  • The table below displays the minimal service packs that will need to be applied, based on your current version in use.
Version Minimum Upgrade Action Required
22.10.X 22.10-SP8
22.04.X 22.04-SP6
21.09.X 21.09-SP14


Note that version 2.0 is not impacted by this vulnerability.