PatchSiren cyber security CVE debrief

CVE-2016-5902 IBM CVE debrief

CVE-2016-5902 is a cross-site scripting flaw in IBM Maximo Asset Management and related Maximo offerings. The issue allows arbitrary JavaScript to be embedded in the web UI, which can alter application behavior and may expose credentials or other session data within a trusted browser session. NVD rates the issue as medium severity, with network-based attack conditions but requiring user interaction.

Vendor: IBM
Product: CVE-2016-5902
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-08
Original CVE updated: 2026-05-13
Advisory published: 2017-02-08
Advisory updated: 2026-05-13

Who should care

Administrators and security teams running IBM Maximo Asset Management 7.1, 7.5, or 7.6, as well as the listed Maximo industry solutions (aviation, energy optimization, government, life sciences, nuclear power, oil and gas, transportation, and utilities). Help desk and application owners should also care because successful exploitation depends on a user viewing attacker-controlled content in the web UI.

Technical summary

NVD maps the weakness to CWE-79 and assigns CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. That means the flaw is reachable over the network, does not require privileges, but does require user interaction. The security impact is limited but meaningful: injected script can run in the context of the application session, changing displayed content or actions and potentially disclosing credentials or other sensitive data. The affected CPEs in the NVD record include IBM Maximo Asset Management and several Maximo-branded industry products across the 7.1, 7.5, and 7.6 releases.

Defensive priority

Medium. This is not marked as an active known-exploited vulnerability in the supplied data, but it is security-relevant because it can undermine trusted sessions and user actions in a business application used for asset and operations management.

Recommended defensive actions

Review IBM's vendor advisory for the supported fix or remediation guidance.
Apply the vendor patch or update referenced by IBM as soon as practical.
Treat affected Maximo web pages and fields as potential XSS injection points during validation and testing.
Reduce exposure by limiting access to the Maximo UI to trusted users and networks where feasible.
Use defense-in-depth browser and application controls such as output encoding, input validation, and session protection mechanisms.
Monitor for unusual UI behavior, unexpected script execution, or suspicious credential activity in Maximo sessions.

Evidence notes

The description and weakness classification come from the supplied NVD record: arbitrary JavaScript can be embedded in the Web UI, with CWE-79 listed and CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The NVD record lists IBM advisory reference swg21988252 and a SecurityFocus VDB entry. The supplied data does not include exploit details, proof-of-concept code, or confirmation of active exploitation.

Official resources

CVE-2016-5902 CVE record
CVE.org
CVE-2016-5902 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

The CVE was published on 2017-02-08. The 2026-05-13 modification timestamp in the supplied data reflects a later record update, not the original issue disclosure date.