IBM Rational Build Forge contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'bf_session' and 'PHPSESSID' cookies, and the 'mod', 'type', 'count', 'offset' and 'filter' parameters upon submission to the 'fullcontrol/' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Currently, there are no known workarounds or upgrades to correct this issue. However, IBM has released a patch to address this vulnerability.

• Security Tracker: 1025019
• CVE ID: 2011-1034 (see also: NVD)
• Secunia Advisory ID: 43180
• Bugtraq ID: 46125
• VUPEN Advisory: ADV-2011-0276
• Vendor Specific News/Changelog Entry: http://www.ibm.com/support/docview.wss?uid=swg1PM05187

• Not Available