CVE-2016-0370
Description
Cross-site scripting (XSS) vulnerability in IBM Forms Experience Builder 8.5.x and 8.6.x before 8.6.3 allows remote authenticated users to inject arbitrary web script or HTML via crafted input to an application that was built with this product.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
IBM Forms Experience Builder 8.5.x and 8.6.x before 8.6.3 are vulnerable to stored cross-site scripting via crafted input in built applications.
Vulnerability
IBM Forms Experience Builder versions 8.5, 8.5.1, and 8.6.0 before the 8.6.3 release contain a stored cross-site scripting (XSS) vulnerability [1]. An authenticated user with administrator privileges can inject arbitrary web script or HTML through crafted input when building an application using the product [1]. The injected content is stored and subsequently rendered, affecting other users who interact with the application [1].
Exploitation
To exploit this vulnerability, an attacker must have valid credentials for the IBM Forms Experience Builder with administrator-level access to the application-building functionality [1]. The attacker crafts malicious script or HTML input as part of the application design; no other user interaction is required during the injection step [1]. When other users open or interact with the modified application, the malicious content executes in the context of their browser session [1].
Impact
Successful exploitation leads to arbitrary web script or HTML execution in the victim's browser within the security context of the affected application [1]. The scope remains unchanged with a low impact on integrity (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N) [1]. No confidentiality or availability impact is identified; the attacker can achieve limited content manipulation but cannot directly access sensitive data or execute system commands [1].
Mitigation
IBM released version 8.6.3, which contains the fix for this vulnerability [1]. For affected versions 8.5, 8.5.1, and 8.6.0, administrators should upgrade to version 8.6.3 or later [1]. For those who cannot upgrade immediately, IBM Support provides interim fixes (LO88451, LO88449) and installation assistance on request [1]. No workaround other than applying the fix or contacting support is documented.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9cpe:2.3:a:ibm:forms_experience_builder:8.5.0.0:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:a:ibm:forms_experience_builder:8.5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:forms_experience_builder:8.5.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:forms_experience_builder:8.5.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:forms_experience_builder:8.6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:forms_experience_builder:8.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:forms_experience_builder:8.6.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:forms_experience_builder:8.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:forms_experience_builder:8.6.2.1:*:*:*:*:*:*:*
- (no CPE)range: <8.6.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- www-01.ibm.com/support/docview.wssnvdPatchVendor Advisory
- www-01.ibm.com/support/docview.wssnvdNot Applicable
- www-01.ibm.com/support/docview.wssnvdBroken Link
- www.securityfocus.com/bid/92471nvd
News mentions
0No linked articles in our index yet.