CVE-2016-5897 IBM CVE debrief

Who should care

Administrators and users of IBM Jazz Reporting Service deployments running versions 6.0, 6.0.1, or 6.0.2 should care, especially where report content is shared across users or viewed in a browser by higher-privileged staff.

Technical summary

The flaw is a browser-side content injection issue in JRS. An attacker able to supply crafted HTML can cause a victim’s browser to render attacker-controlled markup in the site context, which can lead to unauthorized content injection and limited confidentiality or integrity impact. The NVD vector (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) shows network reachability, low attack complexity, low privileges, and required user interaction.

Defensive priority

Medium. This is not a high-availability risk, but it can affect user trust, session context, and the integrity of rendered reporting content.

Recommended defensive actions

• Apply the IBM fix or mitigation referenced in the IBM PSIRT advisory for JRS.
• Confirm whether any IBM Jazz Reporting Service instances run versions 6.0, 6.0.1, or 6.0.2 and prioritize them for remediation.
• Review application input handling and output encoding controls around any user-supplied report content or parameters.
• Validate that report pages and shared links do not render unsanitized HTML from untrusted sources.
• Use the referenced IBM advisory and NVD record to confirm the exact remediation path for your deployment.

Evidence notes

The NVD record for CVE-2016-5897 states that IBM Jazz Reporting Service is vulnerable to HTML injection and lists vulnerable CPEs for IBM Jazz Reporting Service 6.0, 6.0.1, and 6.0.2. The CVSS 3.0 vector is AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, and the weakness is mapped to CWE-79. The source references an IBM PSIRT advisory URL (swg21991153) and a SecurityFocus entry (BID 94857). PublishedAt is 2017-02-01T20:59:01.020Z; modifiedAt 2026-05-13T00:24:29.033Z are metadata timestamps, not separate issue dates.

Official resources