PatchSiren cyber security CVE debrief

CVE-2016-5937 IBM CVE debrief

CVE-2016-5937 describes a cross-site request forgery issue in IBM Kenexa LCMS Premier on Cloud. NVD lists affected versions from 9.0 through 10.2 and rates the issue CVSS 3.0 8.8 (High). Because the attack requires a user interaction while the application trusts the resulting request, state-changing functionality may be abused if CSRF protections are missing or ineffective.

Vendor: IBM
Product: CVE-2016-5937
CVSS: HIGH 8.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-01
Original CVE updated: 2026-05-13
Advisory published: 2017-02-01
Advisory updated: 2026-05-13

Who should care

Administrators and security teams running IBM Kenexa LCMS Premier on Cloud, especially environments with authenticated workflows that change content, users, or configuration. Application owners and incident responders should also review any user-driven administrative paths.

Technical summary

NVD classifies the weakness as CWE-352 and maps it to CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The record lists IBM Kenexa LCMS Premier versions 9.0, 9.2, 9.2.1, 9.3, 9.4, 9.5, 10.0, 10.1, and 10.2 as vulnerable. The issue is consistent with a CSRF flaw where a trusted user's browser can be induced to submit unintended requests, potentially affecting confidentiality, integrity, and availability.

Defensive priority

High priority for affected deployments because the issue is network-reachable and can impact authenticated state-changing actions. Prioritize remediation where administrative or workflow endpoints are exposed to regular users.

Recommended defensive actions

Apply IBM's remediation referenced in advisory SWG21992067 for affected Kenexa LCMS Premier releases.
Review all authenticated, state-changing endpoints for CSRF defenses, including anti-CSRF tokens and server-side request validation.
Harden session handling and browser-side protections where applicable, such as SameSite cookie settings, and verify that sensitive actions require explicit re-authentication or confirmation.
Audit logs and recent changes for unexpected content, account, workflow, or configuration modifications tied to trusted-user sessions.
Confirm which deployed IBM Kenexa LCMS Premier versions match the NVD-listed affected CPEs before and after remediation.

Evidence notes

The debrief is based on the NVD CVE record and the IBM PSIRT advisory reference included in the source item. NVD identifies CWE-352 and lists affected CPEs for Kenexa LCMS Premier 9.0, 9.2, 9.2.1, 9.3, 9.4, 9.5, 10.0, 10.1, and 10.2. The supplied source item shows CVE publication on 2017-02-01 and an NVD modification on 2026-05-13. No exploit details are included here.

Official resources

CVE-2016-5937 CVE record
CVE.org
CVE-2016-5937 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

Publicly disclosed in the CVE record on 2017-02-01T20:59:01.130Z; the NVD entry was last modified on 2026-05-13T00:24:29.033Z.