CVE-2016-5902

IBM Maximo Asset Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

CVSS v3 6.1 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.ibm.com/support/docview.wss?uid=swg21988252	Patch Vendor Advisory
http://www.securityfocus.com/bid/92535	Third Party Advisory VDB Entry
http://www.ibm.com/support/docview.wss?uid=swg21988252	Patch Vendor Advisory
http://www.securityfocus.com/bid/92535	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:maximo_asset_management:7.1:::::::*
	cpe:2.3:a:ibm:maximo_asset_management:7.5:::::::*
	cpe:2.3:a:ibm:maximo_asset_management:7.6:::::::*
	cpe:2.3:a:ibm:maximo_for_aviation:7.1:::::::*
	cpe:2.3:a:ibm:maximo_for_aviation:7.5:::::::*
	cpe:2.3:a:ibm:maximo_for_aviation:7.6:::::::*
	cpe:2.3:a:ibm:maximo_for_energy_optimization:7.1:::::::*
	cpe:2.3:a:ibm:maximo_for_energy_optimization:7.5:::::::*
	cpe:2.3:a:ibm:maximo_for_energy_optimization:7.6:::::::*
	cpe:2.3:a:ibm:maximo_for_government:7.1:::::::*
	cpe:2.3:a:ibm:maximo_for_government:7.5:::::::*
	cpe:2.3:a:ibm:maximo_for_government:7.6:::::::*
	cpe:2.3:a:ibm:maximo_for_life_sciences:7.1:::::::*
	cpe:2.3:a:ibm:maximo_for_life_sciences:7.5:::::::*
	cpe:2.3:a:ibm:maximo_for_life_sciences:7.6:::::::*
	cpe:2.3:a:ibm:maximo_for_nuclear_power:7.1:::::::*
	cpe:2.3:a:ibm:maximo_for_nuclear_power:7.5:::::::*
	cpe:2.3:a:ibm:maximo_for_nuclear_power:7.6:::::::*
	cpe:2.3:a:ibm:maximo_for_oil_and_gas:7.1:::::::*
	cpe:2.3:a:ibm:maximo_for_oil_and_gas:7.5:::::::*
	cpe:2.3:a:ibm:maximo_for_oil_and_gas:7.6:::::::*
	cpe:2.3:a:ibm:maximo_for_transportation:7.1:::::::*
	cpe:2.3:a:ibm:maximo_for_transportation:7.5:::::::*
	cpe:2.3:a:ibm:maximo_for_transportation:7.6:::::::*
	cpe:2.3:a:ibm:maximo_for_utilities:7.1:::::::*
	cpe:2.3:a:ibm:maximo_for_utilities:7.5:::::::*
	cpe:2.3:a:ibm:maximo_for_utilities:7.6:::::::*

History

21 Nov 2024, 02:55

Type	Values Removed	Values Added
References	~~() http://www.ibm.com/support/docview.wss?uid=swg21988252 - Patch, Vendor Advisory~~	() http://www.ibm.com/support/docview.wss?uid=swg21988252 - Patch, Vendor Advisory
References	~~() http://www.securityfocus.com/bid/92535 - Third Party Advisory, VDB Entry~~	() http://www.securityfocus.com/bid/92535 - Third Party Advisory, VDB Entry

Information

Published : 2017-02-08 22:59

Updated : 2025-04-20 01:37

NVD link : CVE-2016-5902

Mitre link : CVE-2016-5902

CVE.ORG link : CVE-2016-5902

JSON object : View

Products Affected

ibm

maximo_asset_management
maximo_for_transportation
maximo_for_aviation
maximo_for_energy_optimization
maximo_for_oil_and_gas
maximo_for_utilities
maximo_for_nuclear_power
maximo_for_life_sciences
maximo_for_government

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2016-5902", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2017-02-08T22:59:00.573", "references": [{"url": "http://www.ibm.com/support/docview.wss?uid=swg21988252", "tags": ["Patch", "Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "http://www.securityfocus.com/bid/92535", "tags": ["Third Party Advisory", "VDB Entry"], "source": "psirt@us.ibm.com"}, {"url": "http://www.ibm.com/support/docview.wss?uid=swg21988252", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/bid/92535", "tags": ["Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "IBM Maximo Asset Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."}, {"lang": "es", "value": "IBM Maximo Asset Management es vulnerable a XSS. Esta vulnerabilidad permite a usuarios incrustar c\u00f3digo JavaScript arbitrario en la interfaz Web alterando as\u00ed la funcionalidad intencionada conduciendo potencialmente a la divulgaci\u00f3n de credenciales en una sesi\u00f3n de confianza."}], "lastModified": "2025-04-20T01:37:25.860", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:maximo_asset_management:7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DE721CF9-0F75-410B-A0F4-542041E25925"}, {"criteria": "cpe:2.3:a:ibm:maximo_asset_management:7.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1AEBAE48-FFD0-4837-AB3B-F6C31B1AC8D9"}, {"criteria": "cpe:2.3:a:ibm:maximo_asset_management:7.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "58B773C7-9386-4704-B85F-748578DBC242"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_aviation:7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AA2E94D6-C670-417D-8BC7-6D57FC881735"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_aviation:7.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D99E35AE-83AD-4B46-8D1B-D55213547863"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_aviation:7.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DBC96757-682F-4EBF-83A7-7C85C451ED26"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_energy_optimization:7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "47FE69C7-D7C4-4707-B3EF-AC290F2CF92D"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_energy_optimization:7.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "805C1AA0-2515-481F-8DC2-B8DDB567B112"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_energy_optimization:7.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9588B376-E159-4CF8-AA3C-70FBBFCB3ED5"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_government:7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3D8673B0-D385-467A-A60C-90A436C976D3"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_government:7.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4908AC9D-7410-47A6-BC46-5587C60061A2"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_government:7.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0F39CC0B-40C9-434B-9257-A72D04D5CED0"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_life_sciences:7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9B315997-8DD3-4244-B292-68568FB82CED"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_life_sciences:7.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "360D781D-AD52-4309-A484-2150B10DFB02"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_life_sciences:7.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5BA294D6-4D4D-4ADB-A05B-F578A8877A4D"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_nuclear_power:7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4796CF9E-0065-4DE2-8C7A-22EB76F65E8E"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_nuclear_power:7.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "75C69BA7-055F-446B-9E76-398D57680BA0"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_nuclear_power:7.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "54B15803-D203-4620-B4CF-0F417C7A9B79"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_oil_and_gas:7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "764D9D95-26A8-441E-95E1-55C9CDEA59BD"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_oil_and_gas:7.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "012787EB-E7F0-4CAD-B406-6057A7F6F14F"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_oil_and_gas:7.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ED14563B-CA07-4CEF-B46B-672F06D08B9F"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_transportation:7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2F780ADF-3151-4B2C-98B9-7FFD0DB47A57"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_transportation:7.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4367602D-5736-459D-82C1-099CD484F2FE"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_transportation:7.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7759191C-5D16-4937-BC80-5A47FE4F9DD1"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_utilities:7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "553D4A7C-E2F0-40F7-88FC-AB372DFCA9DD"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_utilities:7.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1480E9F7-9CA1-4F8D-977F-0F13594D0D36"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_utilities:7.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C823FEB8-B984-444C-A56E-4421A134754C"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@us.ibm.com"}

6.1 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2016-5902

6.1^/10

4.3^/10

Attach tags to `CVE-2016-5902`