PatchSiren cyber security CVE debrief

CVE-2016-5953 IBM CVE debrief

CVE-2016-5953 describes an information disclosure weakness in IBM Sterling software where a session identifier is transmitted in the URL and may be Base64-encoded in the URL of an error page when a user lacks permission to view a page. NVD lists the issue as CVSS 3.7 (Low) with CWE-200, and the affected CPEs in the record cover IBM Sterling Selling and Fulfillment Foundation versions 9.1.0 through 9.5. IBM’s advisory and the NVD entry are the primary references in the supplied corpus.

Vendor: IBM
Product: CVE-2016-5953
CVSS: LOW 3.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-01
Original CVE updated: 2026-05-13
Advisory published: 2017-02-01
Advisory updated: 2026-05-13

Who should care

Administrators and security teams running the affected IBM Sterling versions should care, especially where URL logging, proxy logging, browser history, or shared links could expose session identifiers. Teams responsible for authentication, session handling, and web error pages should also review the issue.

Technical summary

The vulnerability is an information disclosure problem: a session identifier is carried in the URL, and an error page shown after an authorization failure can encode that identifier in Base64 in the resulting URL. NVD maps the issue to CWE-200 and rates it CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating remote reachability, no required privileges, no user interaction, and limited confidentiality impact. The supplied NVD record lists IBM Sterling Selling and Fulfillment Foundation 9.1.0, 9.2.0, 9.2.1, 9.3, 9.4, and 9.5 as vulnerable.

Defensive priority

Low. The issue is publicly disclosed and rated low severity, but it should still be remediated because session identifiers in URLs can be exposed through logs, caches, and browser history.

Recommended defensive actions

Apply the IBM fix or guidance referenced in the vendor advisory for the affected Sterling release.
Review application behavior so session identifiers are not placed in URLs.
Inspect error-handling paths to ensure denied-access pages do not reveal session data.
Limit exposure of URL-based session material in logs, proxies, and monitoring tools.
Validate whether any affected environments still run the listed IBM Sterling versions and plan remediation accordingly.

Evidence notes

The debrief is based on the supplied CVE description, the NVD record for CVE-2016-5953, and the vendor references embedded in that record. NVD lists CVSS 3.0 vector CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N and CWE-200. The record’s reference set includes IBM’s advisory (swg21994521) and a SecurityFocus entry (BID 95431). The CVE was published on 2017-02-01 per the supplied timeline.

Official resources

CVE-2016-5953 CVE record
CVE.org
CVE-2016-5953 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

Publicly disclosed on 2017-02-01, with IBM and NVD references included in the record. No KEV listing was provided in the supplied corpus.