CVE-2009-3730

Name of the Vulnerable Software and Affected Versions IBM Rational RequisitePro version 7.1.0

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the ReqWeb Help feature of IBM Rational RequisitePro. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via specific parameters in certain API endpoints. The affected endpoints include "ReqWebHelp/advanced/workingSet.jsp" where the operation parameter is vulnerable, and "ReqWebHelp/basic/searchView.jsp" where the searchWord, maxHits, scopedSearch, and scope parameters are vulnerable.

Recommendations For IBM Rational RequisitePro version 7.1.0, consider disabling the ReqWeb Help feature until a patch is available. Restrict access to the vulnerable API endpoints "ReqWebHelp/advanced/workingSet.jsp" and "ReqWebHelp/basic/searchView.jsp" to minimize the risk of exploitation. Avoid using the operation, searchWord, maxHits, scopedSearch, and scope parameters in the affected endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.