CVE-2016-6113 IBM CVE debrief

Who should care

IBM Verse, IBM Domino, and IBM iNotes administrators and users should care, especially where the affected web UI is exposed to untrusted content or where users regularly interact with shared or externally supplied data.

Technical summary

The vulnerability is a web-based XSS flaw. NVD assigns CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network reachability, low attack complexity, no privileges required, and user interaction required. The impact is primarily on confidentiality and integrity because injected script can run in a trusted browser session. NVD's affected CPE list includes IBM Domino and IBM iNotes versions 8.5.1.0 through 9.0.1.6.

Defensive priority

Moderate. The issue is exploitable only with user interaction, but it can still lead to session abuse or credential disclosure inside a trusted context, so it should be prioritized for patching or mitigation on exposed or heavily used web front ends.

Recommended defensive actions

• Review IBM's vendor advisory for any product-specific remediation or update guidance.
• Update affected IBM Domino and iNotes installations to fixed versions if available in the vendor guidance.
• Reduce exposure to untrusted HTML or user-supplied content in the affected Web UI.
• Validate that input handling and output encoding controls are in place for any custom extensions or integrations.
• Monitor for suspicious script injection patterns and unexpected session behavior in browser-based workflows.

Evidence notes

The source corpus includes an IBM vendor advisory reference and NVD mapping. The CVE description states that arbitrary JavaScript can be embedded in the Web UI and may disclose credentials within a trusted session. NVD classifies the weakness as CWE-79 and records the issue as Modified. The published CVE date is 2017-02-01T20:59:02.427Z; the later modified timestamp should not be treated as the original issue date.

Official resources