Security Vulnerabilities Identified in Codebeamer - CVE-2023-4296

Applies To

• Codebeamer v22.10-SP7 or lower
• Codebeamer v22.04-SP5 or lower
• Codebeamer v21.09-SP13 or lower

Description

Reflected Cross-Site Scripting (XSS) Vulnerability (CVE-2023-4296) may allow an attacker to inject arbitrary JavaScript code, which could be executed in the victim's browser upon clicking on a malicious link.

• CVSS 3.1 Score: 8.8 High
• CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
• CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
• Common Vulnerabilities and Exposures: CVE-2023-4296
• Researcher Attribution: Niklas Schilling - sec-consult.com

Note that PTC neither has indication nor has been made aware that this vulnerability has been or is being exploited.

Resolution

• Codebeamer customers will need to upgrade to at least 22.10-SP8, 22.04-SP6, or 21.09-SP14 to mitigate the risk of this vulnerability.
• PTC strongly recommends all customers consistently update to the most recent versions to ensure you receive the benefit of the latest security improvements and patches, as well as product improvements.
• The table below displays the minimal service packs that will need to be applied, based on your current version in use.

• Docker Image Download
• Codebeamer Installers
• HOSTED CUSTOMERS:
  • Utilize the following link to our support channel to request an upgrade: CB:/tracker/1910563?showAll=false.

Note that version 2.0 is not impacted by this vulnerability.