Key Vulnerability Information Product: codeBeamer Application Lifecycle Management (ALM) Affected Versions: 10.0.0-final 21.04-final Vulnerability Type: Cross-Site Scripting (XSS) Risk: High Exploitability: Remotely exploitable Exploitation Vectors: 1. WebDAV XSS: - Users can upload HTML files via WebDAV and execute them within the application. 2. User Import XSS: - Admins can import CSV files containing malicious XSS payloads, which will execute when other users access details of these users via the application's API. 3. Login Text XSS: - Admins can inject malicious JavaScript into the login page text, which will execute when users open the login page. Recommendations: Dangerous characters should be encoded properly depending on the context. Regular HTML content must use HTML encoding. Timeline: 2020-05-14: Discovery date 2020-05-18: Initial vendor notification 2020-10-02: CVE assigned 2021-06-02: Public disclosure