PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-9975 IBM CVE debrief

CVE-2016-9975 is a cross-site request forgery (CSRF) flaw reported in IBM Jazz for Service Management. In practical terms, a malicious site could try to induce a logged-in user’s browser to send unauthorized requests to an IBM web application that trusts that user. The NVD record rates the issue CVSS 8.8 (HIGH) with network attack vector and user interaction required.

Vendor
IBM
Product
CVE-2016-9975
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-24
Original CVE updated
2026-05-13
Advisory published
2017-02-24
Advisory updated
2026-05-13

Who should care

Administrators and security teams responsible for IBM Jazz for Service Management deployments, and any environment using the related IBM Dashboard Application Services Hub components referenced in the NVD record. Application owners should also care if users access the product through a browser while authenticated.

Technical summary

The vulnerability is classified as CWE-352 (CSRF). The NVD CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating the attack can be delivered over the network without privileges, but it requires user interaction. The supplied description names IBM Jazz for Service Management 1.1.2.1 and 1.1.3, while the NVD CPE criteria in the same record mark IBM Dashboard Application Services Hub 3.1.2.1 and 3.1.3 as vulnerable. That inconsistency should be resolved by checking the IBM advisory and the exact deployed product/version before taking inventory or remediation decisions.

Defensive priority

High. Because the issue can enable unauthorized actions through a trusted browser session, remediation should be prioritized for any affected IBM management interface that is exposed to end users or administrators.

Recommended defensive actions

  • Review IBM advisory IBM Reference #1998714 and apply the vendor fix or mitigation guidance for the exact affected product/version.
  • Verify whether your environment runs IBM Jazz for Service Management 1.1.2.1 or 1.1.3, and also confirm whether the related Dashboard Application Services Hub versions listed by NVD are present.
  • Reduce exposure of administrative interfaces to untrusted networks and limit access to authenticated users who truly need it.
  • Use application-side CSRF defenses such as anti-CSRF tokens and strict server-side validation where supported by the product.
  • Require re-authentication or additional approval for sensitive actions performed through the web console, if available.
  • After patching, test that protected actions cannot be triggered from a cross-origin request without a valid anti-CSRF mechanism.

Evidence notes

The source corpus contains two relevant signals that do not perfectly align: the human-readable description says IBM Jazz for Service Management 1.1.2.1 and 1.1.3 are vulnerable, while the NVD CPE criteria mark IBM Dashboard Application Services Hub 3.1.2.1 and 3.1.3 as vulnerable and list the Jazz for Service Management CPEs as not vulnerable. The record also cites CWE-352 and the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. No KEV entry was provided.

Official resources

Publicly disclosed and published on 2017-02-24. The NVD record was later modified on 2026-05-13. No Known Exploited Vulnerabilities (KEV) entry was provided in the supplied data.