PatchSiren cyber security CVE debrief
CVE-2016-6096 IBM CVE debrief
CVE-2016-6096 is a cross-site scripting vulnerability in IBM Tivoli Key Lifecycle Manager. According to the NVD record and the vendor reference it cites, affected users can embed arbitrary JavaScript in the Web UI, which can alter intended functionality and may lead to credential disclosure within a trusted session. NVD published the record on 2017-02-07 and later modified it on 2026-05-13.
- Vendor
- IBM
- Product
- CVE-2016-6096
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-07
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-07
- Advisory updated
- 2026-05-13
Who should care
Administrators and security teams responsible for IBM Tivoli Key Lifecycle Manager and IBM Security Key Lifecycle Manager deployments should care, especially where the Web UI is reachable by trusted users. Identity, key-management, and operations teams that manage administrative sessions or credentials should also prioritize review.
Technical summary
NVD classifies CVE-2016-6096 as CWE-79 (cross-site scripting) with CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue affects IBM Tivoli Key Lifecycle Manager 2.0.1 and IBM Security Key Lifecycle Manager 2.5 and 2.6 maintenance levels listed in the NVD CPE criteria. The described impact is that arbitrary JavaScript can be embedded in the Web UI, potentially changing UI behavior and exposing credentials during a trusted session.
Defensive priority
Medium. This is a network-reachable web UI XSS issue with possible credential exposure, so it should be remediated on any active IBM Key Lifecycle Manager deployment that matches the affected versions.
Recommended defensive actions
- Apply IBM's remediation or patch guidance referenced by the vendor advisory linked in NVD.
- Inventory all IBM Tivoli Key Lifecycle Manager and IBM Security Key Lifecycle Manager instances and compare them against the affected versions listed by NVD.
- Treat the Web UI as a sensitive administrative surface and limit access to trusted users and networks while remediation is pending.
- Review administrative sessions and related credentials for any exposure risk if the UI was used on an affected version.
- Validate that the deployed maintenance level is outside the affected CPE entries before closing the issue.
Evidence notes
Supported statements come from the supplied NVD record and its referenced IBM PSIRT advisory. NVD lists CWE-79 and the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vendor description states that arbitrary JavaScript can be embedded in the Web UI and that this may lead to credentials disclosure within a trusted session. The NVD references include the IBM support advisory and SecurityFocus BID 95983.
Official resources
-
CVE-2016-6096 CVE record
CVE.org
-
CVE-2016-6096 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Publicly disclosed in the CVE/NVD record on 2017-02-07. The supplied NVD record was later modified on 2026-05-13, which should not be treated as the issue date.