CVE-2016-6047 IBM CVE debrief

Who should care

IBM Jazz Reporting Service administrators, application security teams, and users who rely on JRS web UI sessions, especially in environments running the affected 6.0.2 release.

Technical summary

NVD maps this issue to CWE-79 and lists the vulnerable CPE as IBM Jazz Reporting Service 6.0.2. The CVSS v3.0 vector is AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating a network-reachable issue that requires low privileges and user interaction, with potential impact to confidentiality and integrity through cross-site scripting in a trusted session.

Defensive priority

Medium. The vulnerability is externally reachable and can affect trusted browser sessions, but it requires a logged-in user interaction path and low privileges rather than unauthenticated access.

Recommended defensive actions

• Apply the IBM patch or vendor guidance referenced in the IBM support advisory.
• Review JRS pages and workflows for any untrusted input that could be reflected or stored in the web UI.
• Ensure output encoding and input validation are enforced for all user-controlled fields presented in the interface.
• Limit user privileges where practical and monitor for suspicious script injection or unexpected UI behavior.
• Validate that affected deployments are not running the vulnerable IBM Jazz Reporting Service 6.0.2 release without remediation.

Evidence notes

The core facts come from the official NVD record and IBM-referenced vendor advisory links. NVD identifies the weakness as CWE-79 and provides the CVSS v3.0 vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The NVD CPE entry lists IBM Jazz Reporting Service 6.0.2 as vulnerable. The IBM support document is referenced by NVD as a patch/vendor advisory source.

Official resources