CVE-2016-0321 : IBM Personal Communications (aka PCOMM) 6.x before 6.0.17 and 12.x before 12.0.0

IBM Personal Communications (aka PCOMM) 6.x before 6.0.17 and 12.x before 12.0.0.1 does not properly restrict credential extraction, which allows local users to discover passwords by leveraging access to the victim account and executing a PowerShell script.

Published 2016-07-17 22:59:00

Updated 2025-04-12 10:46:41

Source IBM Corporation

View at NVD, CVE.org

Products affected by CVE-2016-0321

IBM » Personal Communications » Version: 12.0.0
cpe:2.3:a:ibm:personal_communications:12.0.0:*:*:*:*:*:*:*
Matching versions
IBM » Personal Communications » Version: 6.0.16
cpe:2.3:a:ibm:personal_communications:6.0.16:*:*:*:*:*:*:*
Matching versions
IBM » Personal Communications » Version: 6.0.15
cpe:2.3:a:ibm:personal_communications:6.0.15:*:*:*:*:*:*:*
Matching versions
IBM » Personal Communications » Version: 6.0.8
cpe:2.3:a:ibm:personal_communications:6.0.8:*:*:*:*:*:*:*
Matching versions
IBM » Personal Communications » Version: 6.0.7
cpe:2.3:a:ibm:personal_communications:6.0.7:*:*:*:*:*:*:*
Matching versions
IBM » Personal Communications » Version: 6.0.6
cpe:2.3:a:ibm:personal_communications:6.0.6:*:*:*:*:*:*:*
Matching versions
IBM » Personal Communications » Version: 6.0.14
cpe:2.3:a:ibm:personal_communications:6.0.14:*:*:*:*:*:*:*
Matching versions
IBM » Personal Communications » Version: 6.0.13
cpe:2.3:a:ibm:personal_communications:6.0.13:*:*:*:*:*:*:*
Matching versions
IBM » Personal Communications » Version: 6.0.5
cpe:2.3:a:ibm:personal_communications:6.0.5:*:*:*:*:*:*:*
Matching versions
IBM » Personal Communications » Version: 6.0.4
cpe:2.3:a:ibm:personal_communications:6.0.4:*:*:*:*:*:*:*
Matching versions
IBM » Personal Communications » Version: 6.0.12
cpe:2.3:a:ibm:personal_communications:6.0.12:*:*:*:*:*:*:*
Matching versions
IBM » Personal Communications » Version: 6.0.11
cpe:2.3:a:ibm:personal_communications:6.0.11:*:*:*:*:*:*:*
Matching versions
IBM » Personal Communications » Version: 6.0.3
cpe:2.3:a:ibm:personal_communications:6.0.3:*:*:*:*:*:*:*
Matching versions
IBM » Personal Communications » Version: 6.0.2
cpe:2.3:a:ibm:personal_communications:6.0.2:*:*:*:*:*:*:*
Matching versions
IBM » Personal Communications » Version: 6.0.10
cpe:2.3:a:ibm:personal_communications:6.0.10:*:*:*:*:*:*:*
Matching versions
IBM » Personal Communications » Version: 6.0.9
cpe:2.3:a:ibm:personal_communications:6.0.9:*:*:*:*:*:*:*
Matching versions
IBM » Personal Communications » Version: 6.0.1
cpe:2.3:a:ibm:personal_communications:6.0.1:*:*:*:*:*:*:*
Matching versions
IBM » Personal Communications » Version: 6.0.0
cpe:2.3:a:ibm:personal_communications:6.0.0:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2016-0321

EPSS FAQ

0.13%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 30 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2016-0321

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
2.1	LOW	AV:L/AC:L/Au:N/C:P/I:N/A:N	3.9	2.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
6.2	MEDIUM	CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	2.5	3.6	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2016-0321

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-0321

http://www-01.ibm.com/support/docview.wss?uid=swg1IT12006

IBM IT12006: PCOM: PCSNP.EXE PASSES USER NAME AND PASSWORD IN PLAIN TEXT
http://www-01.ibm.com/support/docview.wss?uid=swg21981692

IBM Security Bulletin: IBM Personal Communications could allow a remote user to obtain sensitive information including user passwords, allowing unauthorized access. (CVE-2016-0321)
Vendor Advisory
http://www.securityfocus.com/bid/91751

IBM Personal Communications CVE-2016-0321 Information Disclosure Vulnerability

Jump to

Vulnerability Details : CVE-2016-0321

Products affected by CVE-2016-0321

Exploit prediction scoring system (EPSS) score for CVE-2016-0321

CVSS scores for CVE-2016-0321

CWE ids for CVE-2016-0321

References for CVE-2016-0321