CVE-2016-5952 IBM CVE debrief

Who should care

Administrators, security teams, and application owners responsible for IBM Kenexa LCMS Premier on Cloud deployments, especially environments running affected versions 9.0 through 10.0.

Technical summary

The NVD record maps this issue to CWE-89 (SQL Injection) and lists CVSS 3.0 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, reflecting network reachability, low attack complexity, and high impact. The affected CPE entries in the supplied record include IBM Kenexa LCMS Premier versions 9.0, 9.1, 9.2, 9.3, 9.4, 9.5, and 10.0. The public description states that specially crafted SQL statements could expose or alter database contents.

Defensive priority

High. The issue is remotely reachable, requires only low privileges, and can impact confidentiality, integrity, and availability at a high level.

Recommended defensive actions

• Confirm whether IBM Kenexa LCMS Premier on Cloud is in use and identify deployed versions against the affected CPE range.
• Apply the IBM security update or mitigation referenced in the vendor advisory.
• Review application input handling and database access paths for SQL injection exposure.
• Restrict access to administrative and application interfaces where practical, and monitor for suspicious query patterns or unexpected database activity.
• Validate remediation by testing the affected workflows after patching and documenting the result.

Evidence notes

The description, CVSS vector, and CWE classification come from the official NVD record supplied in the corpus. IBM’s support advisory is listed as the vendor patch/advisory reference, and SecurityFocus is listed as a technical description/VDB entry reference. The record was published on 2017-02-01 and later modified on 2026-05-13; those dates are from the CVE record timeline, not the vulnerability creation date.

Official resources