PatchSiren cyber security CVE debrief

CVE-2016-8943 IBM CVE debrief

IBM Tivoli Storage Productivity Center, and related IBM Spectrum Control versions listed by NVD, are vulnerable to cross-site scripting in the Web UI. An authenticated user with limited privileges can embed arbitrary JavaScript, which can alter UI behavior and may expose credentials within a trusted session.

Vendor: IBM
Product: CVE-2016-8943
CVSS: MEDIUM 5.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-01
Original CVE updated: 2026-05-13
Advisory published: 2017-02-01
Advisory updated: 2026-05-13

Who should care

IBM storage platform administrators, security teams, and anyone operating or auditing IBM Tivoli Storage Productivity Center or Spectrum Control Web UI deployments. Pay particular attention if the interface is reachable by multiple authenticated users or used for shared administrative access.

Technical summary

NVD maps this issue to CWE-79 and rates it CVSS 3.0 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). The source data identifies vulnerable IBM Spectrum Control 5.2.8 through 5.2.11 and IBM Tivoli Storage Productivity Center 5.2.0 through 5.2.7.1. The core risk is browser-side script injection into a trusted Web UI session, which can lead to limited confidentiality and integrity impact.

Defensive priority

Medium priority. This is an authenticated, user-interaction-dependent web UI XSS issue rather than a high-severity remote pre-auth flaw. Patch during normal maintenance, but accelerate remediation if the affected interface is broadly used, internet-facing, or relied on for privileged administration.

Recommended defensive actions

Apply the IBM PSIRT/vendor patch or update referenced for this advisory.
Confirm whether any affected IBM Spectrum Control or Tivoli Storage Productivity Center versions are deployed, including the NVD-listed 5.2.x releases.
Review Web UI input handling and any custom integrations or workflows that pass user-supplied content into the interface.
Limit access to the management UI to trusted administrative networks and reduce the number of users with Web UI privileges.
Encourage users to re-authenticate after remediation and review session-handling controls for sensitive administrative accounts.

Evidence notes

Source corpus shows CVE publication on 2017-02-01 and a later NVD modification on 2026-05-13. The vulnerability description explicitly states cross-site scripting in the Web UI with potential credentials disclosure within a trusted session. NVD assigns CWE-79 and the CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The provided references include an IBM PSIRT advisory/patched reference and a SecurityFocus entry.

Official resources

CVE-2016-8943 CVE record
CVE.org
CVE-2016-8943 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

Publicly listed in NVD on 2017-02-01. No KEV entry or ransomware-campaign linkage is present in the supplied corpus.