PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-8999 IBM CVE debrief

CVE-2016-8999 is a medium-severity IBM InfoSphere issue involving path-relative stylesheet imports. According to NVD, the flaw can cause a page to render in quirks mode, which can then facilitate malicious CSS injection. The affected surface is web-facing and requires user interaction, so the main risk is UI tampering and related integrity impact rather than direct code execution.

Vendor
IBM
Product
CVE-2016-8999
CVSS
MEDIUM 5.4
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-01
Original CVE updated
2026-05-13
Advisory published
2017-02-01
Advisory updated
2026-05-13

Who should care

IBM InfoSphere Information Server and DataStage administrators, application owners managing user-facing IBM web interfaces, vulnerability management teams, and security teams responsible for enterprise data platforms.

Technical summary

NVD classifies the issue as CWE-79 and assigns CVSS v3.0 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). The vulnerability is described as a path-relative stylesheet import problem that can force a page into quirks mode, making it easier for an attacker to inject or influence CSS and alter how content is rendered. NVD lists affected IBM InfoSphere DataStage versions 8.7, 9.1, 11.3, and 11.5; IBM InfoSphere Information Server versions 8.7, 9.1, 11.3, and 11.5; and IBM InfoSphere Information Server on Cloud 11.5.

Defensive priority

Medium. Prioritize systems that expose affected IBM InfoSphere web interfaces to broad user populations or that rely on custom styling and branding, but this is not framed as an emergency in the supplied data.

Recommended defensive actions

  • Follow the IBM support advisory and apply the vendor-recommended fix or patch guidance referenced by NVD.
  • Inventory IBM InfoSphere DataStage and InfoSphere Information Server deployments and confirm whether any of the affected versions listed by NVD are present.
  • Review web pages and templates for path-relative stylesheet imports, especially in customized or branded interfaces, and align them with vendor-supported, non-relative loading patterns where possible.
  • After remediation, validate that affected pages render in standards mode and that CSS-based UI tampering is not occurring.
  • Add regression checks and monitoring around stylesheet resolution and unexpected rendering changes in sensitive internal applications.

Evidence notes

The supplied corpus describes the issue as a path-relative stylesheet import vulnerability that can render a page in quirks mode and facilitate malicious CSS injection. NVD lists the weakness as CWE-79 and provides CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The NVD CPE data enumerates affected IBM InfoSphere DataStage and InfoSphere Information Server versions 8.7, 9.1, 11.3, 11.5, plus InfoSphere Information Server on Cloud 11.5. The IBM support advisory is cited in the official NVD references, but the supplied corpus does not include a fixed version number or detailed patch instructions.

Official resources

Publicly disclosed on 2017-02-01 in the CVE/NVD record. The supplied NVD source was last modified on 2026-05-13. No KEV entry is included in the supplied enrichment.