CVE-2016-3028
CRITICALIBM Security Access Manager for Web 7.0-8.0 and Security Access Manager 9.0 - Authenticated OS Command Injection
Title source: llmDescription
IBM Security Access Manager for Web 7.0 before IF2 and 8.0 before 8.0.1.4 IF3 and Security Access Manager 9.0 before 9.0.1.0 IF5 allow remote authenticated users to execute arbitrary commands by leveraging LMI admin access.
References (5)
Core 5
Core References
Broken Link vendor-advisory
x_refsource_aixapar
http://www-01.ibm.com/support/docview.wss?uid=swg1IV89257
Vendor Advisory x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21990317
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/93176
Broken Link vendor-advisory
x_refsource_aixapar
http://www-01.ibm.com/support/docview.wss?uid=swg1IV89322
Broken Link vendor-advisory
x_refsource_aixapar
http://www-01.ibm.com/support/docview.wss?uid=swg1IV89326
Scores
CVSS v3
9.1
EPSS
0.0354
EPSS Percentile
87.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (12)
ibm/security_access_manager
9.0.0
ibm/security_access_manager
9.0.0.1
ibm/security_access_manager
9.0.1.0
ibm/security_access_manager_for_web
7.0.0
ibm/security_access_manager_for_web
8.0.0
ibm/security_access_manager_for_web
8.0.0.2
ibm/security_access_manager_for_web
8.0.0.4
ibm/security_access_manager_for_web
8.0.0.5
ibm/security_access_manager_for_web
8.0.1
ibm/security_access_manager_for_web
8.0.1.2
... and 2 more
Published
Nov 25, 2016
Tracked Since
Feb 18, 2026