IBM Support

Security Bulletin: IBM Engineering Lifecycle Management is vulnerable to Cross-site Scripting (XSS) vulnerability (CVE-2021-39043)

Security Bulletin


Summary guidance: The Jazz Team Server is vulnerable to cross-site scripting.

Vulnerability Details

CVEID:   CVE-2021-39043
DESCRIPTION:   IBM Jazz Foundation is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 6.4
CVSS Temporal Score: See: for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Products/Versions guidance:

Affected Product(s)Version(s)
Jazz Team Server6.0.6,, 7.0, 7.0.1, 7.0.2



Remediation/Fixes guidance:



Workarounds and Mitigations

Workarounds/Mitigation guidance:

Product(s)Version(s) number and/or range Remediation/Fix/Instructions
Jazz Team Server6.0.6,, 7.0, 7.0.1, 7.0.2


Steps to disable external content widget:

1) On the dashboard screen of the application, the administrator can see the viewlet ID in the widget catalog (Add Widget button on a dashboard) for external content viewlet ID is

2) There is an advanced property, Disabled Widgets. This exists for each application (/jts/admin) that is accessible to the administrator.  This is a comma-separated list of viewlet IDs so in order to disable external content administrator will have to add viewlet ID in this field. Note: The viewlet ID must be listed in the advanced property for the application that owns the viewlet here it is JTS.

3) If a viewlet ID is in the advanced property, it will no longer be listed in the Add Widget interface for all users.

4) If a viewlet ID is in the advanced property, any pre-existing instances of the viewlet in dashboards will show the message "This widget has been disabled by the administrator".



Get Notified about Future Security Bulletins



Reference guidance:



The vulnerability was reported to IBM by

Change History

19 May 2022: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.


Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSPRJQ","label":"IBM Engineering Lifecycle Management Base"},"Component":"","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"6.0.6,, 7.0, 7.0.1, 7.0.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

Document Information

Modified date:
30 January 2023