CVE-2016-8968 IBM CVE debrief

Who should care

Administrators and security teams responsible for IBM Jazz Foundation or IBM Rational Collaborative Lifecycle Management 6.0.0, 6.0.1, or 6.0.2 should review this issue, especially where authenticated users can create or submit content rendered in the Web UI.

Technical summary

The NVD entry maps this CVE to CWE-79 (Cross-Site Scripting) and lists affected IBM Rational Collaborative Lifecycle Management versions 6.0.0, 6.0.1, and 6.0.2. The CVSS v3.0 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates a network-reachable issue that requires low privileges and user interaction. The impact is limited confidentiality and integrity with no direct availability impact. The record’s description states that arbitrary JavaScript can be embedded in the Web UI, which can alter behavior in a trusted session and potentially expose credentials.

Defensive priority

Medium

Recommended defensive actions

• Review IBM’s vendor advisory and apply the vendor-recommended patch or fix for the affected Jazz Foundation / Rational Collaborative Lifecycle Management versions.
• Verify whether versions 6.0.0, 6.0.1, or 6.0.2 are in use and prioritize remediation on any internet-facing or broadly used deployments.
• Audit web UI input handling and any user-generated content paths that are rendered back to users.
• Use output encoding and context-aware sanitization controls for all HTML/JavaScript-bearing fields in the application.
• Limit the privileges of accounts that can create or edit web content and monitor for suspicious script-like content in stored data.

Evidence notes

All substantive claims here are drawn from the supplied NVD record and the IBM advisory reference listed in that record. The CVE was published on 2017-02-15; the 2026-05-13 modified timestamp reflects record maintenance, not the original issue date. Affected versions are taken from the NVD CPE criteria, and the weakness classification is CWE-79.

Official resources