CVE-2016-5940 IBM CVE debrief

Who should care

Administrators, application owners, and security teams responsible for IBM Kenexa LMS deployments matching the affected NVD CPE versions (4.1, 4.2, 4.2.2, 4.2.3, 4.2.4, 5.0, 5.1, and 5.2), especially where authenticated users can submit or view web content.

Technical summary

NVD classifies the vulnerability as CWE-79 (cross-site scripting). The CVSS v3.0 vector is AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network reachability, low complexity, required privileges and user interaction, and potential scope change. The supplied record ties the issue to IBM Kenexa LMS Web UI content handling rather than to availability impact.

Defensive priority

Medium. Prioritize patching or upgrading affected IBM Kenexa LMS instances, then verify that user-controlled content is properly encoded or sanitized across the Web UI.

Recommended defensive actions

• Apply the IBM remediation referenced in the vendor support advisory for CVE-2016-5940.
• Verify whether your deployment matches any of the affected IBM Kenexa LMS versions listed in NVD before closing the issue.
• Review Web UI inputs and rendering paths for unsafe HTML or JavaScript handling, and enforce output encoding/sanitization controls.
• Treat exposed sessions as potentially sensitive if user-controlled script execution occurred, and review authentication/session logs for unusual activity.

Evidence notes

The supplied NVD record identifies CWE-79 and rates the issue CVSS 3.0 5.4 with vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. NVD lists affected IBM Kenexa LMS CPEs for versions 4.1, 4.2, 4.2.2, 4.2.3, 4.2.4, 5.0, 5.1, and 5.2. The record was published on 2017-02-01 and later modified on 2026-05-13. IBM vendor and patch references are included in the NVD references.

Official resources