CVE-2016-8928 IBM CVE debrief

Who should care

Organizations running IBM Kenexa LMS on Cloud, especially administrators, application owners, security teams, and incident responders responsible for the listed Kenexa LMS versions.

Technical summary

The NVD record describes a network-reachable SQL injection issue with low attack complexity and low privileges required. The CVSS 3.0 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L, indicating strong confidentiality impact and lower but still meaningful integrity and availability impact. The weakness is mapped to CWE-89 (SQL Injection).

Defensive priority

High. The issue is remotely reachable and can expose or alter backend database data, so affected deployments should be prioritized for inventory, patch verification, and compensating controls.

Recommended defensive actions

• Inventory IBM Kenexa LMS installations and confirm whether any of the affected versions listed by NVD are in use.
• Review and apply IBM PSIRT remediation guidance referenced in the vendor advisory link.
• Restrict application and database privileges to the minimum necessary while remediation is being completed.
• Monitor for unusual database errors, unexpected query behavior, and suspicious requests targeting the application.
• Validate that all user-controlled input reaching database queries is properly parameterized or otherwise protected in any custom integrations or extensions.

Evidence notes

The supplied official sources identify this as CVE-2016-8928, first published in the NVD/CVE data on 2017-02-01 and last modified on 2026-05-13. NVD records CWE-89, the CVSS 3.0 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L, and the affected IBM Kenexa LMS CPEs. IBM PSIRT and SecurityFocus references are included in the source corpus. No Known Exploited Vulnerability (KEV) entry was supplied.

Official resources