CVE-2016-4958 - Borland StarTeam XSS

Borland StarTeam Agile suffers of Reflected Cross Site Scripting in the login page.
  • Vendor: Micro Focus - Borland
  • Product page: http://www.borland.com/en-GB/Products/Change-Management/StarTeam-Agile

  • Product description: StarTeam Agile provides support for scrum-based sprint planning, backlog management and tracking. StarTeam Agile’s enterprise-class planning and management capability is ideal for large development organizations which often have highly complex needs. It tightly integrates with the StarTeam or AccuRev SCM platforms for effective Agile change management.

Vulnerability

StarTeam Agile login URL is vulnerable to a Cross-site Scripting which permits an attacker to injects browser executable code within a single HTTP response.

In order to trigger the vulnerability an attacker has to inject the XSS payload in the vulnerable parameter:

  • loginfailed
Proof
https://starteamagile.tld/agile/login.jsp?loginfailed=[XSSPayload_Here]

GET /agile/login.jsp?loginfailed=%22;alert(document.cookie);// 
After the GET request the loginfailed parameter's value reflects in a javascript block code as a variable's value.

CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:N)

Timeline (below a little recap, maybe i missed something...)
  • 20 May 2016 Bug discovered
  • 23 May 2016 Mitre contacted
  • 24 May 2016 Vendor contacted and i got a reply: [...] We greatly appreciate your assistance and willingness to contact us. This information has been passed on to the development team for their initial review. As soon as we can, you will get an update [...]
  • 25 May 2016 Vendor: [...] the development team has confirmed receipt of your finding and is investigating further [...] ...
  • 22 July 2016, Vendor released a new patched version of the ATLAS Planning and Tracking Suite Ver 3.2.1

Thank you Microfocus for the reference in the release note, appreciated! :)