PatchSiren cyber security CVE debrief

CVE-2016-5883 IBM CVE debrief

CVE-2016-5883 describes a cross-site scripting issue in IBM iNotes 8.5 and 9.0. According to the NVD record, the flaw allows arbitrary JavaScript to be embedded in the web UI, which can alter intended application behavior and may lead to credential disclosure within a trusted session. The issue was published on 2017-02-23 and later updated in the NVD record on 2026-05-13; those dates describe record lifecycle, not a new flaw date.

Vendor: IBM
Product: CVE-2016-5883
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-23
Original CVE updated: 2026-05-13
Advisory published: 2017-02-23
Advisory updated: 2026-05-13

Who should care

Administrators and security teams responsible for IBM iNotes deployments, especially environments exposing the web UI to users, should treat this as relevant. Any organization running affected 8.5 or 9.0 releases should verify patch status and review whether the web interface is reachable by untrusted users.

Technical summary

NVD maps this vulnerability to CWE-79 (Improper Neutralization of Input During Web Page Generation, i.e., XSS) and gives it CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, rated 6.1 Medium. The affected product/version coverage listed by NVD includes IBM iNotes 8.5.1.0 through 8.5.3.6 and 9.0.0.0 through 9.0.1.6. The core impact is that malicious script content can run in the context of a trusted web session, which can expose credentials and modify application behavior.

Defensive priority

Medium, with higher urgency if the web UI is broadly accessible or if users handle sensitive mail/session data. Because exploitation requires user interaction but can affect confidentiality and integrity in a trusted session, remediation should be prioritized in the normal patch cycle rather than deferred.

Recommended defensive actions

Confirm whether any IBM iNotes 8.5 or 9.0 installations match the affected versions listed by NVD.
Apply the IBM remediation referenced in the vendor advisory (IBM Reference #1997010 / support doc swg21997010) and verify the fix is present.
Restrict access to the web UI to trusted users and networks where practical, reducing exposure to crafted content.
Review user and application guidance for web content handling in iNotes sessions, since the issue depends on user interaction.
Monitor for unusual script injection attempts or suspicious behavior in the iNotes web interface.
After remediation, validate that HTML or script content is being properly neutralized in the relevant workflow.

Evidence notes

Primary evidence comes from the NVD CVE record and its referenced IBM vendor advisory. NVD lists IBM iNotes as the affected product, identifies CWE-79, and provides the CVSS vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The NVD reference list includes the IBM advisory/support document, which is the most direct remediation pointer. SecurityFocus and SecurityTracker are listed as secondary references in the NVD metadata but were not used as primary evidence here.

Official resources

CVE-2016-5883 CVE record
CVE.org
CVE-2016-5883 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Source reference
[email protected]
Source reference
[email protected]

Publicly disclosed in the CVE/NVD record on 2017-02-23. The NVD record was modified later on 2026-05-13, but that update does not change the original disclosure timing. The vulnerability affects IBM iNotes 8.5 and 9.0 web UI handling of unv