Security Bulletin: A cross-site scripting vulnerablity has been addressed in IBM Kenexa LMS on Cloud 5.1

Summary

A cross-site scripting vulnerablity has been addressed in IBM Kenexa LMS on Cloud 5.1

Vulnerability Details

CVEID: CVE-2016-8935**
DESCRIPTION:** IBM Kenexa LMS on Cloud is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118649 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

IBM Kenexa LMS 4.1, 4.2, 4.2.2, 4.2.3, 4.2.4, 5.0

Workarounds and Mitigations

These issues have been addressed in IBM LMS on Cloud 5.1. IBM recommends updating to the latest release.

Customers who are using an affected version should visit IBM Support Portal and open a Service Request (SR) to request an upgrade to latest fixed release.

<https://www-947.ibm.com/support/entry/portal&gt;