PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-6072 IBM CVE debrief

CVE-2016-6072 is a cross-site scripting (XSS) issue in IBM Maximo Asset Management and related IBM Maximo/Tivoli products. IBM’s advisory and NVD describe a flaw that can let an authenticated user embed arbitrary JavaScript in the Web UI, altering application behavior and potentially exposing credentials or other data within a trusted session. The public record shows this was disclosed on 2017-02-01 and later modified by NVD on 2026-05-13; there is no KEV listing in the supplied data.

Vendor
IBM
Product
CVE-2016-6072
CVSS
MEDIUM 5.4
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-01
Original CVE updated
2026-05-13
Advisory published
2017-02-01
Advisory updated
2026-05-13

Who should care

Administrators and security teams running IBM Maximo Asset Management 7.6.0.0 or related IBM Maximo/Tivoli products listed in the NVD CPE set should review this immediately, especially if users can submit or view content in the Web UI. Any environment where privileged operators use shared browser sessions or have access to sensitive assets, work orders, or credentials should treat this as relevant.

Technical summary

NVD classifies the weakness as CWE-79 (Cross-Site Scripting) with CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The issue affects IBM Maximo Asset Management 7.6.0.0 and multiple related products listed in the NVD record, including Maximo for Aviation, Life Sciences, Nuclear Power, Oil and Gas, Transportation, Utilities, SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Change and Configuration Management Database, Tivoli Integration Composer, and Tivoli Service Request Manager. The documented impact is execution of arbitrary JavaScript in the web application context, which can lead to session abuse and limited confidentiality/integrity impact.

Defensive priority

Medium. This is not a high-availability risk, but XSS in an enterprise Web UI can still expose credentials, session data, or privileged actions when operators are logged in.

Recommended defensive actions

  • Apply the IBM PSIRT remediation referenced in IBM’s advisory for this issue.
  • Inventory IBM Maximo and related Tivoli deployments against the affected CPE list in the NVD record.
  • Review Web UI fields, forms, and customizations that render user-controlled content without proper output encoding.
  • Check whether browser-side protections such as Content Security Policy and session-hardening controls are in place, while relying on server-side fixes as the primary remediation.
  • Re-test after applying vendor guidance to confirm that user-supplied content is safely encoded or sanitized.
  • Monitor privileged user workflows for unexpected script execution or anomalous session behavior.

Evidence notes

The debrief is based on the supplied NVD record and its referenced IBM PSIRT advisory. The corpus states the issue is XSS in IBM Maximo Asset Management, maps it to CWE-79, provides the CVSS 3.0 vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, and lists the affected IBM Maximo/Tivoli product CPEs. The supplied references include IBM’s vendor advisory/patched reference and a SecurityFocus advisory entry. No exploit details, proof-of-concept code, or unsupported remediation version numbers are included.

Official resources

Publicly disclosed in the CVE/NVD record on 2017-02-01; NVD last modified the record on 2026-05-13. No CISA KEV entry is present in the supplied data.