CVE-2016-5950 IBM CVE debrief

Who should care

Administrators, security teams, and application owners using IBM Kenexa LCMS Premier on Cloud versions 9.0 through 10.2 should care most. Identity and access management teams should also review whether any exposed credentials could be reused elsewhere.

Technical summary

NVD lists affected CPEs for IBM Kenexa LCMS Premier versions 9.0, 9.1, 9.2, 9.2.1, 9.3, 9.4, 9.5, 10.0, 10.1, and 10.2. The issue is described as user credentials stored in clear text and readable by an authenticated user. NVD assigns CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N and CWE-255.

Defensive priority

High for any active deployment, because exposed credentials can enable broader account compromise even though the attack requires authentication and does not directly affect integrity or availability.

Recommended defensive actions

• Confirm whether IBM Kenexa LCMS Premier on Cloud is in use and identify the deployed version.
• Review IBM's vendor advisory for the patch or remediation guidance referenced by NVD.
• Treat any credentials that may have been exposed as potentially compromised and rotate them where appropriate.
• Check for reuse of affected credentials across other systems and reset any reused passwords or secrets.
• Restrict access to the application to the minimum necessary authenticated users while remediation is underway.
• Monitor for suspicious account activity that could indicate misuse of exposed credentials.

Evidence notes

The public CVE record was published on 2017-02-01 and later modified in NVD on 2026-05-13. The supplied NVD metadata states that the issue affects IBM Kenexa LCMS Premier on Cloud versions 9.0 through 10.2 and that credentials stored in clear text could be read by an authenticated user. IBM's support advisory and a SecurityFocus entry are cited in the NVD references.

Official resources