PatchSiren cyber security CVE debrief

CVE-2016-8920 IBM CVE debrief

CVE-2016-8920 is a cross-site scripting issue in IBM Kenexa LMS on Cloud affecting versions 13.1 and 13.2 through 13.2.4. According to the CVE description, affected users can embed arbitrary JavaScript in the web UI, which can alter application behavior and may expose credentials within a trusted session. NVD assigns CVSS 3.0 5.4 (Medium) with network access, low attack complexity, low privileges, required user interaction, and changed scope.

Vendor: IBM
Product: CVE-2016-8920
CVSS: MEDIUM 5.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-01
Original CVE updated: 2026-05-13
Advisory published: 2017-02-01
Advisory updated: 2026-05-13

Who should care

Administrators, security teams, and users responsible for IBM Kenexa LMS on Cloud 13.1 and 13.2-13.2.4 should prioritize this finding, especially in environments where users can submit or view content in the web interface and where authenticated sessions may expose sensitive data.

Technical summary

The vulnerability is classified as CWE-79 (cross-site scripting). NVD lists the affected IBM Kenexa LMS on Cloud CPEs for 13.1, 13.2, 13.2.2, 13.2.3, and 13.2.4. The CVSS vector (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates a remotely reachable issue that requires some privileges and user interaction, with potential impact to confidentiality and integrity rather than availability.

Defensive priority

Medium. This is an authenticated, user-interaction-dependent XSS issue with possible credential exposure, so it should be remediated promptly in systems that still run the affected versions or have not confirmed IBM's mitigation guidance.

Recommended defensive actions

Review IBM's vendor advisory for the supported fix or mitigation guidance for CVE-2016-8920.
Upgrade or remediate IBM Kenexa LMS on Cloud instances running versions 13.1 through 13.2.4.
Restrict or sanitize user-supplied content in the web UI to reduce script injection risk.
Verify that session handling and credential exposure controls are in place for impacted user flows.
Validate remediation by retesting affected UI inputs and monitoring for unexpected script execution.

Evidence notes

This debrief is based only on the supplied CVE record and referenced official sources. The record states: IBM Kenexa LMS on Cloud 13.1 and 13.2-13.2.4 are vulnerable to cross-site scripting; arbitrary JavaScript can be embedded in the Web UI; and this may lead to credentials disclosure within a trusted session. NVD classifies the weakness as CWE-79 and provides the CVSS v3.0 vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. References include the IBM support advisory and a SecurityFocus BID entry.

Official resources

CVE-2016-8920 CVE record
CVE.org
CVE-2016-8920 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

Publicly disclosed in the CVE record on 2017-02-01. The supplied record was last modified on 2026-05-13, which is metadata update timing and not the original vulnerability date.