CVE-2016-6124 IBM CVE debrief

Who should care

IBM Kenexa LMS on Cloud administrators, application owners, and security teams responsible for internet-facing or user-upload-enabled deployments should treat this as a priority review item.

Technical summary

The NVD entry maps this issue to CWE-434 (Unrestricted Upload of File with Dangerous Type) and gives a CVSS v3.0 vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The core risk is that a remote attacker can submit arbitrary files through the vulnerable upload path and leverage that to execute code on the server.

Defensive priority

High. The issue is network-exploitable, requires only low privileges, and carries a high CVSS score of 8.8 with potential impact to confidentiality, integrity, and availability.

Recommended defensive actions

• Review the IBM PSIRT advisory referenced by NVD for remediation guidance.
• Verify whether any IBM Kenexa LMS on Cloud instances are running affected versions listed by NVD.
• Restrict or disable file upload functionality where possible until remediation is confirmed.
• Monitor upload handling paths for unexpected file types, filenames, or execution behavior.
• Apply IBM-provided fixes or vendor guidance as soon as it is available for the affected deployment.

Evidence notes

The debrief is based on the supplied NVD record published at 2017-02-01T20:59:02.537Z and modified at 2026-05-13T00:24:29.033Z. The NVD data identifies IBM Kenexa LMS on Cloud as affected, lists vulnerable versions 13.1, 13.2, 13.2.2, 13.2.3, and 13.2.4, assigns CVSS v3.0 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), and maps the weakness to CWE-434. Vendor and third-party advisory references are included in the source corpus, but their contents were not expanded here.

Official resources