CVE-2016-3028

CRITICAL

IBM Security Access Manager for Web 7.0-8.0 and Security Access Manager 9.0 - Authenticated OS Command Injection

Title source: llm
STIX 2.1

Description

IBM Security Access Manager for Web 7.0 before IF2 and 8.0 before 8.0.1.4 IF3 and Security Access Manager 9.0 before 9.0.1.0 IF5 allow remote authenticated users to execute arbitrary commands by leveraging LMI admin access.

References (5)

Core 5
Core References
Broken Link vendor-advisory x_refsource_aixapar
http://www-01.ibm.com/support/docview.wss?uid=swg1IV89257
Vendor Advisory x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21990317
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/93176
Broken Link vendor-advisory x_refsource_aixapar
http://www-01.ibm.com/support/docview.wss?uid=swg1IV89322
Broken Link vendor-advisory x_refsource_aixapar
http://www-01.ibm.com/support/docview.wss?uid=swg1IV89326

Scores

CVSS v3 9.1
EPSS 0.0354
EPSS Percentile 87.8%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (12)
ibm/security_access_manager 9.0.0
ibm/security_access_manager 9.0.0.1
ibm/security_access_manager 9.0.1.0
ibm/security_access_manager_for_web 7.0.0
ibm/security_access_manager_for_web 8.0.0
ibm/security_access_manager_for_web 8.0.0.2
ibm/security_access_manager_for_web 8.0.0.4
ibm/security_access_manager_for_web 8.0.0.5
ibm/security_access_manager_for_web 8.0.1
ibm/security_access_manager_for_web 8.0.1.2
... and 2 more
Published Nov 25, 2016
Tracked Since Feb 18, 2026