CVE-2016-2938 IBM CVE debrief

Who should care

IBM Domino and iNotes administrators, mail and collaboration platform owners, and security teams responsible for browser-based IBM web UI access should review this advisory.

Technical summary

NVD classifies this issue as CWE-79 (Cross-Site Scripting) with CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The record indicates a network-reachable issue that requires user interaction but no privileges. NVD lists IBM Domino and IBM iNotes releases 8.5.1.0 through 8.5.3.6 and 9.0.0.0 through 9.0.1.6 as vulnerable.

Defensive priority

Medium

Recommended defensive actions

• Review the IBM PSIRT advisory referenced by NVD and apply the vendor fix or update guidance it provides.
• Inventory IBM Domino and IBM iNotes deployments and compare them against the vulnerable versions listed in the NVD record.
• Treat browser-based mail and collaboration sessions as sensitive until affected systems are updated.
• Verify that web UI inputs and outputs are properly encoded and sanitized in any custom extensions or integrations.
• Monitor affected environments for unexpected script execution, abnormal page behavior, or suspicious session activity.

Evidence notes

The supplied corpus supports an IBM iNotes cross-site scripting vulnerability with potential credential disclosure in a trusted session. NVD provides the CVSS v3.0 vector showing network access, low complexity, no privileges, and required user interaction, and it lists affected IBM Domino and IBM iNotes CPEs. The corpus also includes an IBM PSIRT advisory reference, but not the advisory text or a specific fixed version.

Official resources