CVE-2016-5899 IBM CVE debrief

Who should care

Administrators and security teams responsible for IBM Jazz Reporting Service deployments, especially environments where authenticated users can create or view content rendered in the Web UI.

Technical summary

NVD classifies the weakness as CWE-79 with CVSS v3.0 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). The vulnerability is a web-based cross-site scripting flaw in IBM Jazz Reporting Service that permits arbitrary JavaScript injection through the UI. Because the attack requires user interaction and some privileges, impact is limited but still meaningful in authenticated sessions.

Defensive priority

Medium. This is not known to be in CISA KEV from the supplied corpus, but it affects multiple IBM JRS versions and can lead to credential exposure or session abuse in browsers that trust the application.

Recommended defensive actions

• Apply the IBM-referenced fix or mitigation documented in the vendor advisory linked from the NVD record.
• Upgrade IBM Jazz Reporting Service instances running affected versions 5.0 through 6.0.2 to a remediated release.
• Review places where JRS accepts or renders user-controlled content in the Web UI and confirm output encoding and input handling are in place.
• Limit exposure of authenticated administrative and reporting interfaces to trusted networks and users while remediation is pending.
• After patching, verify that stored or reflected JavaScript injection is no longer possible in the affected UI paths.

Evidence notes

Source evidence comes from the official NVD CVE record and its listed references. NVD identifies the weakness as CWE-79 and lists affected JRS versions 5.0, 5.0.1, 5.0.2, 6.0, 6.0.1, and 6.0.2. The vendor reference is IBM support document swg21991154, marked as a Patch/Vendor Advisory. The CVE was published on 2017-02-01T20:59:01.083Z.

Official resources