A cross-site scripting vulnerablity has been addressed in IBM Kenexa LMS on Cloud 5.1
CVEID: CVE-2016-8935**
DESCRIPTION:** IBM Kenexa LMS on Cloud is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118649 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
IBM Kenexa LMS 4.1, 4.2, 4.2.2, 4.2.3, 4.2.4, 5.0
These issues have been addressed in IBM LMS on Cloud 5.1. IBM recommends updating to the latest release.
Customers who are using an affected version should visit IBM Support Portal and open a Service Request (SR) to request an upgrade to latest fixed release.