CVE-2016-5948

Vulnerability

CVE-2016-5948 is a stored cross-site scripting (XSS) vulnerability in IBM Kenexa LCMS Premier on Cloud, versions prior to 10.3. The flaw allows authenticated users to embed arbitrary JavaScript code into the Web UI, which is then executed in the context of other users' sessions. The vulnerability is present in the LCMS on Cloud platform and requires low privileges to exploit, with user interaction needed for the payload to be triggered. The official advisory lists this as one of multiple security issues addressed in version 10.3 [1].

Exploitation

An attacker must first have a valid account on the IBM Kenexa LCMS Premier on Cloud instance. The attacker then crafts a malicious JavaScript payload and injects it into a web page or form field that will be rendered to other users. When another user (including an administrator) views the affected page, the injected script executes in their browser session. The attack is network-based, requires low attack complexity, and depends on user interaction (the victim viewing the crafted page). The CVSS vector string confirms: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the trusted LCMS session context. This can lead to credential disclosure (e.g., session tokens, passwords, or other sensitive data) by accessing cookies, form values, or the DOM. The confidentiality and integrity impact are both rated low, as the scope of the attack is changed (the injected code runs in the context of the application, not the attacker's session). The attacker does not gain direct server-side access but can perform actions on behalf of the victim, potentially leading to further compromise [1].

Mitigation

The vulnerability was addressed in IBM Kenexa LCMS Premier on Cloud version 10.3. Organizations should upgrade to version 10.3 or later, as stated in the IBM security bulletin published on the support site [1]. There is no evidence that this CVE is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. For tenants unable to upgrade immediately, IBM recommends applying the fix as soon as possible due to the presence of additional vulnerabilities addressed in the same release.