PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-3018 IBM CVE debrief

CVE-2016-3018 is a cross-site scripting (XSS) issue in IBM Security Access Manager that can let an attacker embed arbitrary JavaScript in the Web UI. According to the CVE description, that can alter intended UI behavior and may expose credentials within a trusted session. NVD classifies the weakness as CWE-79 and rates it CVSS 3.0 6.1 (Medium).

Vendor
IBM
Product
CVE-2016-3018
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-01
Original CVE updated
2026-05-13
Advisory published
2017-02-01
Advisory updated
2026-05-13

Who should care

Administrators and security teams responsible for IBM Security Access Manager for Web deployments, and teams that still operate the IBM Security Access Manager for Mobile/Web releases listed by NVD as affected. End users are also at risk if they access the vulnerable Web UI in a trusted session.

Technical summary

The vulnerability is a web cross-site scripting flaw in IBM Security Access Manager’s UI layer. The published CVE description says users can embed arbitrary JavaScript code in the Web UI, which can change page behavior and may lead to credential disclosure in the context of a trusted session. NVD maps the issue to CWE-79 and lists affected IBM Security Access Manager for Web versions 8.0.0.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.0.5, 8.0.1.0, 8.0.1.2, 8.0.1.3, 8.0.1.4, plus 9.0.0, 9.0.0.1, 9.0.1.0, and also multiple IBM Security Access Manager for Mobile 8.0.x builds.

Defensive priority

Medium. The issue requires user interaction (CVSS UI:R) and is not rated as high severity, but it can impact trusted sessions and credential confidentiality. Prioritize if the product is internet-facing, widely used by privileged users, or if the affected releases are still deployed.

Recommended defensive actions

  • Review IBM’s vendor advisory for the specific remediation guidance for your installed release.
  • Inventory IBM Security Access Manager for Web and Mobile deployments and compare them against the affected versions listed by NVD.
  • Treat any user-controlled content rendered in the Web UI as untrusted until the product is updated and protections are verified.
  • Restrict access to administrative and authentication-related interfaces to trusted networks and users while remediation is underway.
  • Validate that browser-side and server-side controls are in place to reduce XSS exposure, such as proper output encoding and content handling.
  • Re-test the affected UI after remediation to confirm that untrusted script execution is no longer possible in normal workflows.

Evidence notes

Evidence is limited to the supplied CVE/NVD record and vendor references. The CVE description states arbitrary JavaScript can be embedded in the Web UI and may disclose credentials within a trusted session. NVD marks the weakness as CWE-79 and provides the CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. Affected CPEs in the record cover IBM Security Access Manager for Web 8.0.0.0 through 8.0.1.4 and 9.0.0 through 9.0.1.0, plus several IBM Security Access Manager for Mobile 8.0.x releases.

Official resources

CVE published by NVD/CVE on 2017-02-01 and later modified in the record on 2026-05-13. Use the published date for vulnerability timing; the modified date reflects record updates, not original disclosure.