PatchSiren cyber security CVE debrief
CVE-2016-9704 IBM CVE debrief
CVE-2016-9704 is a cross-site scripting (XSS) vulnerability in IBM Security Identity Manager Virtual Appliance. NVD describes it as allowing users to embed arbitrary JavaScript in the Web UI, which can alter application behavior and may expose credentials within a trusted session. The issue was published on 2017-02-01 and NVD later marked the record as modified on 2026-05-13.
- Vendor
- IBM
- Product
- CVE-2016-9704
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-01
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-01
- Advisory updated
- 2026-05-13
Who should care
Administrators and security teams running IBM Security Identity Manager Virtual Appliance, especially the versions listed by NVD as vulnerable. This is also relevant to any team that relies on the appliance Web UI for privileged administration, since XSS in an admin console can impact trusted sessions and credentials.
Technical summary
NVD maps this issue to CWE-79 and lists the CVSS v3.0 vector as CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, which matches a network-reachable XSS that requires user interaction. The vulnerable product entries in NVD include IBM Security Identity Manager Virtual Appliance versions 7.0.0.0 through 7.0.1.4. IBM’s referenced advisory and NVD both identify the problem as a Web UI XSS affecting user-supplied content rendered in a trusted browser context.
Defensive priority
Medium. The score is 6.1 and the attack requires user interaction, but the impact can include session abuse and credential exposure in an administrative web interface.
Recommended defensive actions
- Review IBM’s advisory referenced by NVD and apply the vendor-recommended update or patch for IBM Security Identity Manager Virtual Appliance.
- Inventory deployments to confirm whether any instances are running versions 7.0.0.0 through 7.0.1.4.
- Treat the Web UI as a high-value administrative surface and restrict access to trusted users and networks.
- Validate that session handling, authentication controls, and browser-based administrative workflows are monitored for anomalous behavior.
- Use browser and application defenses that reduce XSS impact, such as output encoding and Content Security Policy where supported.
- If immediate patching is not possible, limit exposure of the management interface until remediation is complete.
Evidence notes
Claims in this debrief are limited to the supplied NVD record and the referenced IBM/SecurityFocus/SecurityTracker links. NVD identifies the weakness as CWE-79, gives the CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, and enumerates vulnerable IBM Security Identity Manager Virtual Appliance versions 7.0.0.0 through 7.0.1.4. The description supplied by NVD states that arbitrary JavaScript can be embedded in the Web UI and may lead to credentials disclosure within a trusted session.
Official resources
-
CVE-2016-9704 CVE record
CVE.org
-
CVE-2016-9704 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
- Source reference
Publicly disclosed in NVD/CVE on 2017-02-01; NVD shows the record was modified on 2026-05-13.