CVE-2016-5951

Vulnerability

IBM Kenexa LCMS Premier on Cloud version 10.3 is vulnerable to cross-site scripting (XSS). This vulnerability allows authenticated users to embed arbitrary JavaScript code into the Web UI, altering the intended functionality. The issue is addressed in the security bulletin from IBM [1].

Exploitation

An attacker needs authenticated access to the application. With a low-privileged account, the attacker can inject malicious script into input fields or other user-controllable content that is later rendered in the Web UI. The attack requires user interaction, as a victim user with a trusted session must view the manipulated page in their browser [1].

Impact

Successful exploitation can lead to disclosure of the victim's credentials within the trusted session. The attacker can hijack the victim's session or perform other actions on behalf of the victim, with the impact being limited to low confidentiality and low integrity, as per the CVSS vector [1].

Mitigation

IBM has addressed this vulnerability in Kenexa LCMS Premier on Cloud version 10.3. Users should upgrade to version 10.3 or later as specified in the security bulletin [1]. No workarounds are mentioned in the available reference.