PTC Codebeamer

Plan PatchCVSS 7.1ICS-CERT ICSA-24-128-01May 7, 2024

PTC

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Codebeamer versions 22.10 SP9 and earlier, 2.0.0.3 and earlier, and 2.1.0.0 contain a cross-site scripting (XSS) vulnerability (CWE-79) that allows attackers to inject malicious code via the web interface. Successful exploitation could allow an attacker to inject malicious code in the application, compromising user sessions, project data, or application functionality. The vulnerability requires user interaction (clicking a malicious link) but can be executed from any network-accessible location without authentication.

What this means

What could happen

An attacker could inject malicious code into Codebeamer through a cross-site scripting vulnerability, potentially compromising the integrity of project data, configurations, or user sessions within the application.

Who's at risk

Organizations using PTC Codebeamer for project management, requirements tracking, or configuration control in engineering and operations environments should apply this update. This affects any team members who access Codebeamer through a web browser, including control system engineers, plant operators, and IT administrators who use the platform to manage ICS configuration or project data.

How it could be exploited

An attacker crafts a malicious link or HTML/JavaScript payload and tricks a Codebeamer user into clicking it or opening it in their browser. The victim's browser executes the attacker's code within the Codebeamer session, allowing the attacker to steal session tokens, modify project settings, or inject further malicious content.

Prerequisites

User interaction required: target user must click a malicious link or open a crafted webpage
Network access to the Codebeamer application interface
The victim must have an active or recent session in Codebeamer

remotely exploitablerequires user interactionlow exploit complexityaffects application data integrity and confidentiality

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

Codebeamer: <=22.10_SP9≤ 22.10 SP922.10 SP10

Codebeamer: <=2.0.0.3≤ 2.0.0.322.10 SP10

Codebeamer: 2.1.0.02.1.0.022.10 SP10

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDTrain users to avoid clicking links in unsolicited emails and to verify link legitimacy before opening them

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Codebeamer to version 22.10 SP10 or later

HOTFIXUpdate Codebeamer to version 2.0.0.4 or later

HOTFIXUpdate Codebeamer to version 2.1.0.1 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate Codebeamer from the internet and restrict access to authorized users only

HARDENINGUse VPN or secure proxy access for any remote connections to Codebeamer, keeping the VPN software updated

CVEs (1)

CVE-2024-3951

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ecd0c21b-1c33-457c-b3c1-942d5699f5ed

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.