PatchSiren cyber security CVE debrief

CVE-2016-9872 Emc CVE debrief

CVE-2016-9872 describes a reflected cross-site scripting (XSS) vulnerability in EMC Documentum D2 versions 4.5 and 4.6. Because the flaw is reflected and requires user interaction, the main risk is session compromise or other client-side impact when a user is induced to open a crafted link or request. NVD maps the issue to CWE-79 and rates it CVSS 3.0 6.1 (Medium).

Vendor: Emc
Product: CVE-2016-9872
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-03
Original CVE updated: 2026-05-13
Advisory published: 2017-02-03
Advisory updated: 2026-05-13

Who should care

Organizations running EMC Documentum D2 4.5 or 4.6, especially security teams, platform administrators, and web application owners who expose D2 to user access or integrate it into broader enterprise workflows.

Technical summary

NVD identifies the vulnerability as reflected XSS affecting EMC Documentum D2 4.5 and 4.6. The CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network reachability, no privileges required, and a user interaction requirement. The primary weakness is CWE-79. The issue is described as potentially allowing malicious users to compromise the affected system through client-side script execution in a victim's browser context.

Defensive priority

Medium. The issue is publicly known, remotely reachable, and does not require privileges, but it does require user interaction and is not scored as high severity in the supplied data.

Recommended defensive actions

Confirm whether any EMC Documentum D2 deployments are running version 4.5 or 4.6.
Review the official CVE/NVD record and the referenced vendor or third-party advisories for available remediation guidance.
Apply vendor patches or upgrades if a fixed release is available.
Reduce exposure of affected interfaces where practical, especially for internet-facing deployments.
Harden web application defenses with strict output encoding, input validation, and browser-side protections appropriate to the application.
Monitor logs and user reports for suspicious reflected-parameter activity or attempted XSS delivery paths.

Evidence notes

The supplied NVD record states that EMC Documentum D2 versions 4.5 and 4.6 are vulnerable and classifies the flaw as CWE-79. The same record provides the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N and lists third-party advisory references, including SecurityFocus BID 95824 and SecurityTracker 1037733. Public disclosure timing in the supplied corpus is 2017-02-03, with the NVD record later marked modified on 2026-05-13.

Official resources

CVE-2016-9872 CVE record
CVE.org
CVE-2016-9872 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]

CVE published on 2017-02-03. The supplied NVD source record was last modified on 2026-05-13; that modification date is metadata for the record, not the original vulnerability date.