OTPulse
FeedAboutContact

PTC Codebeamer

Plan Patch8.8ICS-CERT ICSA-23-241-01Aug 29, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

This is a cross-site scripting (XSS) vulnerability in PTC Codebeamer that allows an attacker to inject arbitrary code into a user's browser. Successful exploitation requires the user to click a malicious link while logged into Codebeamer. The injected code executes with the privileges of the logged-in user, potentially allowing data theft, session hijacking, or unauthorized modifications to Codebeamer projects and data. Codebeamer version 2.0 is not affected.

What this means
What could happen
An attacker could inject malicious code into a user's browser session, potentially stealing credentials, modifying project data, or performing unauthorized actions on behalf of the victim within Codebeamer.
Who's at risk
Organizations using Codebeamer for project management, requirements tracking, or ALM (application lifecycle management) are affected. This includes engineering teams, software development departments, and quality assurance groups that rely on Codebeamer to store and manage project data and communications.
How it could be exploited
An attacker crafts a malicious URL or embeds malicious payload in a link shared via email or social engineering. When a Codebeamer user clicks the link while logged in, the injected code executes in their browser with their privileges, allowing the attacker to steal session tokens, modify project data, or redirect users to phishing sites.
Prerequisites
  • User must click a malicious link or visit a compromised page
  • User must be logged into Codebeamer at the time of visit
  • No special network access required
remotely exploitablerequires user interaction (clicking link)high CVSS (8.8)cross-site scripting (XSS) vulnerability
Exploitability
Moderate exploit probability (EPSS 1.1%)
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
Codebeamer 22.10.X: <= 22.10-SP6≤ 22.10-SP622.10-SP7 or newer version
Codebeamer 22.04.X: <= 22.04-SP2≤ 22.04-SP222.04-SP3 or newer version
Codebeamer 21.09.X: <= 21.09-SP13≤ 21.09-SP1321.09-SP14 or newer version
Remediation & Mitigation
0/4
Do now
0/1
HARDENINGTrain users to avoid clicking unsolicited links in email and to verify URLs before following them
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Codebeamer 22.10.X to version 22.10-SP8 or newer
HOTFIXUpgrade Codebeamer 22.04.X to version 22.04-SP6 or newer
HOTFIXUpgrade Codebeamer 21.09.X to version 21.09-SP14 or newer
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/6b10df16-13d8-45f7-8f96-ce32a05c6ce3
PTC Codebeamer | CVSS 8.8 - OTPulse