IBM Jazz Foundation

IBM Jazz Foundation 7.0.3-7.1.0 iFix019/005 Access Control Violation
CVE-2025-15395 4.3 - Medium - February 02, 2026

IBM Jazz Foundation 7.0.3 through 7.0.3 iFix019 and 7.1.0 through 7.1.0 iFix005 is vulnerable to access control violations that allows the users to view or access/perform actions beyond their expected capability.

AuthZ

Stored XSS via Web UI in IBM DOORS Next 7.0.27.1.0 iFixes
CVE-2025-1826 5.4 - Medium - October 07, 2025

IBM Engineering Requirements Management DOORS Next (IBM Jazz Foundation 7.0.2 to 7.0.2 iFix034, 7.0.3 to 7.0.3 iFix016, and 7.1.0 to 7.1.0 iFix004) is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users on the host network to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Jazz Foundation XSS in Web UI before 7.0.3 (6.0.6-7.0.2)
CVE-2021-29669 5.4 - Medium - January 12, 2025

IBM Jazz Foundation 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Jazz Foundation 7.0.2/7.0.3/7.1.0 Sensitive Info Disclosure via Detailed Error Message
CVE-2024-5591 4.3 - Medium - January 03, 2025

IBM Jazz Foundation 7.0.2, 7.0.3, and 7.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.

Generation of Error Message Containing Sensitive Information

IBM Jazz Foundation 7.0.2-7.1.0 Credential Leakage via Unmasked Pass Entry
CVE-2024-41780 4.6 - Medium - January 03, 2025

IBM Jazz Foundation 7.0.2, 7.0.3, and 7.1.0 could could allow a physical user to obtain sensitive information due to not masking passwords during entry.

Privacy violation

IBM Jazz Foundation: Cross-Site Scripting Vulnerability in Web UI
CVE-2023-45181 6.1 - Medium - November 25, 2024

IBM Jazz Foundation 7.0.2 and below are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Jazz Foundation Access Control Vulnerability in Dashboard Configuration
CVE-2023-26280 5.3 - Medium - November 25, 2024

IBM Jazz Foundation 7.0.2 and 7.0.3 could allow a user to change their dashboard using a specially crafted HTTP request due to improper access control.

Incorrect Privilege Assignment

IBM Jazz Foundation Info Disclosure (6.x/7.x)
CVE-2022-34355 5.5 - Medium - October 06, 2023

IBM Jazz Foundation (IBM Engineering Lifecycle Management 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2) could disclose sensitive version information to a user that could be used in further attacks against the system. IBM X-Force ID: 230498.

IBM Jazz Foundation (IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2) is vulnerable to cross-site scripting
CVE-2021-39059 5.4 - Medium - May 11, 2022

IBM Jazz Foundation (IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 214619.

XSS

IBM Jazz Foundation 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, and 6.0.6.1 could allow an authenticated user to obtain sensitive information
CVE-2019-4457 6.5 - Medium - February 19, 2020

IBM Jazz Foundation 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, and 6.0.6.1 could allow an authenticated user to obtain sensitive information that could be used in further attacks against the system. IBM X-Force ID: 163654.