PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-8930 IBM CVE debrief

CVE-2016-8930 is a SQL injection vulnerability in IBM Kenexa LMS on Cloud. According to the NVD record, affected releases include Kenexa LMS 4.1, 4.2, 4.2.2, 4.2.3, 4.2.4, 5.0, 5.1, and 5.2. A remote attacker who can reach the vulnerable application and submit crafted input may be able to access or alter backend database content. The CVSS 3.0 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L, which indicates a network-reachable issue with low attack complexity and meaningful data exposure risk. The weakness is classified as CWE-89 (SQL Injection).

Vendor
IBM
Product
CVE-2016-8930
CVSS
HIGH 7.6
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-01
Original CVE updated
2026-05-13
Advisory published
2017-02-01
Advisory updated
2026-05-13

Who should care

IBM Kenexa LMS on Cloud administrators, application owners, and security teams responsible for affected versions 4.1 through 5.2 should prioritize this advisory, especially if the application is exposed to untrusted users or connected to sensitive data.

Technical summary

NVD identifies CVE-2016-8930 as a SQL injection issue in IBM Kenexa LMS on Cloud. The vulnerability affects multiple product versions (4.1, 4.2, 4.2.2, 4.2.3, 4.2.4, 5.0, 5.1, 5.2). The supplied description states that specially crafted SQL statements could allow a remote attacker to view, add, modify, or delete information in the backend database. NVD maps the issue to CWE-89 and assigns CVSS 3.0 7.6 (High).

Defensive priority

High. The issue is network-reachable, relatively easy to trigger, and affects database confidentiality and integrity. Prioritize patching or vendor remediation validation, then verify that no sensitive data or database records were altered before remediation.

Recommended defensive actions

  • Confirm whether IBM Kenexa LMS version 4.1 through 5.2 is deployed anywhere in your environment.
  • Apply the IBM-provided fix or follow the vendor advisory referenced by NVD as soon as possible.
  • Restrict exposure of the application to trusted networks and authenticated users while remediation is in progress.
  • Review application and database logs for suspicious or malformed SQL activity around the affected service.
  • Validate database integrity and account changes after remediation, and rotate credentials if there is any sign of abuse.
  • If custom code or integrations touch the affected application, ensure parameterized queries and input validation are used consistently.

Evidence notes

The NVD record for CVE-2016-8930 lists IBM Kenexa LMS versions 4.1, 4.2, 4.2.2, 4.2.3, 4.2.4, 5.0, 5.1, and 5.2 as vulnerable and classifies the weakness as CWE-89. The supplied description states that crafted SQL statements may let a remote attacker view, add, modify, or delete backend database data. NVD also provides CVSS 3.0 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L and references an IBM support advisory and a SecurityFocus entry.

Official resources

CVE published on 2017-02-01. The supplied NVD record was modified on 2026-05-13. No KEV entry is present in the supplied data, and no exploitation campaign information is provided.