PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-8941 IBM CVE debrief

CVE-2016-8941 is a cross-site request forgery (CSRF) issue in IBM Tivoli Storage Productivity Center and related Spectrum Control releases. NVD rates it 8.8 High with network access, no privileges required, and user interaction required, reflecting the potential for a trusted user to be induced into performing malicious or unauthorized actions.

Vendor
IBM
Product
CVE-2016-8941
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-01
Original CVE updated
2026-05-13
Advisory published
2017-02-01
Advisory updated
2026-05-13

Who should care

IBM Storage administrators, security teams, and operations staff running IBM Tivoli Storage Productivity Center or IBM Spectrum Control versions listed by NVD, especially 5.2.x deployments that expose web-based administrative functions to regular users.

Technical summary

NVD maps this issue to CWE-352 and lists affected IBM versions including Tivoli Storage Productivity Center 5.2.0, 5.2.0.0, 5.2.1.0, 5.2.1.1, 5.2.2.0, 5.2.3.0, 5.2.4.0, 5.2.4.1, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.7.0, 5.2.7.1, and Spectrum Control 5.2.8 through 5.2.11. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates that a remote attacker can rely on user interaction to drive unauthorized state-changing requests against a trusted session.

Defensive priority

High. The vulnerability is remotely reachable and can affect confidentiality, integrity, and availability if a user can be induced to interact with the application, so affected deployments should be prioritized for patching or vendor-guided remediation.

Recommended defensive actions

  • Check whether your environment matches any of the affected IBM Tivoli Storage Productivity Center or Spectrum Control versions listed in NVD.
  • Review and apply the IBM PSIRT guidance linked from the vendor advisory reference (swg21995128).
  • Confirm that administrative workflows are protected against CSRF using vendor-supported controls and follow IBM’s remediation instructions.
  • Limit exposure of administration interfaces where practical and monitor for unexpected state-changing actions initiated through authenticated web sessions.

Evidence notes

All claims are derived from the supplied NVD record and linked official/vendor references. The NVD entry shows CVE-2016-8941 was published on 2017-02-01 and later modified on 2026-05-13; that modified date is metadata, not the vulnerability issue date. NVD assigns CWE-352 and CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. IBM PSIRT reference swg21995128 is identified as the patch/vendor advisory link in the source corpus.

Official resources

Publicly disclosed in NVD on 2017-02-01. The record was modified on 2026-05-13, but that does not change the original CVE publication date. IBM’s advisory/patch reference is included in the linked vendor materials.