Skip to main content
(844) 422-7000

​PTC Codebeamer

1. EXECUTIVE SUMMARY

​CVSS v3 8.8
​ATTENTION: Exploitable remotely/low attack complexity
​Vendor: PTC
​Equipment: Codebeamer
​Vulnerability: Cross site scripting

2. RISK EVALUATION

​Successful exploitation of this vulnerability could allow an attacker to inject arbitrary JavaScript code, which could be executed in the victim’s browser upon clicking on a malicious link.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following versions of PTC Codebeamer, Application Lifecycle Management (ALM) platform for product and software development, are affected:

​Codebeamer: v22.10-SP6 or lower
​Codebeamer: v22.04-SP2 or lower
​Codebeamer: v21.09-SP13 or lower

3.2 VULNERABILITY OVERVIEW

3.2.1 CROSS-SITE SCRIPTING CWE-79

​If an attacker tricks an admin user of PTC Codebeamer into clicking on a malicious link, it may allow the attacker to inject arbitrary code to be executed in the browser on the target device.

CVE-2023-4296 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Multiple
​COUNTRIES/AREAS DEPLOYED: Worldwide
​COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

​Niklas Schilling of SEC Consult Vulnerability Lab reported this vulnerability to CISA.

4. MITIGATIONS

​PTC recommends the following:

​Version 22.10.X: upgrade to 22.10-SP7 or newer version
​Version 22.04.X: upgrade to 22.04-SP3 or newer version
​Version 21.09.X: upgrade to 21.09-SP14 or newer version

​Docker Image download: https://hub.docker.com/r/intland/codebeamer/tags

​Codebeamer installers: https://intland.com/codebeamer-download/

​Hosted customers may request an upgrade through the support channel.

​Note that version 2.0 is not impacted by this vulnerability.

​For more information refer to PTC Security Advisory and Resolution.

​CISA recommends users take the following measures to protect themselves from social engineering attacks:

​Do not click web links or open attachments in unsolicited email messages.
​Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
​Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.