17 matches found
CVE-2025-0162
CVE-2025-0162 affects IBM Aspera Shares 1.9.9–1.10.0 PL7. The issue is an XML External Entity (XXE) injection in XML processing, enabling a remote authenticated attacker to disclose sensitive data or cause memory/resource exhaustion. Root cause: improper handling of external entities in XML. Docu...
CVE-2023-38018
IBM Aspera Shares 1.10.0 PL2 contains a vulnerability where a session is not invalidated after a password change, potentially allowing an authenticated user to impersonate another user. Affected product: IBM Aspera Shares; versions up to and including 1.10.0 PL2. Root cause: improper session hand...
CVE-2024-38316
CVE-2024-38316 affects IBM Aspera Shares 1.9.0–1.10.0 PL6, where an authenticated user’s ability to send emails is not properly rate-limited, potentially enabling email flooding and denial of service. The IBM Security Bulletin describes the vulnerability (CWE-770: Allocation of Resources Without ...
CVE-2024-56472
CVE-2024-56472 affects IBM Aspera Shares Web UI (versions 1.9.0–1.10.0 PL6). Root cause is stored cross-site scripting (XSS) that enables authenticated users to embed arbitrary JavaScript, potentially leading to credentials disclosure within a trusted session. IBM’s bulletin indicates remediation...
CVE-2024-56473
CVE-2024-56473 affects IBM Aspera Shares 1.9.0 through 1.10.0 PL6. The root cause is improper verification of the Client-IP header, allowing an attacker to spoof their IP address and have it written to log files. According to the IBM Security Bulletin, remediation is to upgrade to IBM Aspera Shar...
CVE-2024-38318
IBM Aspera Shares 1.9.0–1.10.0 PL6 is vulnerable to HTML injection. A remote attacker could inject HTML/JavaScript that runs in the victim’s browser within the hosting site’s security context. The multi-CVE IBM bulletin confirms this HTML injection issue (CVE-2024-38318) among other vulnerabiliti...
CVE-2024-56471
IBM Aspera Shares versions 1.9.0–1.10.0 PL6 are affected by a server-side request forgery (SSRF) vulnerability that could allow an authenticated attacker to send unauthorized requests from the affected system, potentially enabling network enumeration or other attacks. The IBM Security Bulletin no...
CVE-2024-56470
IBM Aspera Shares 1.9.0–1.10.0 PL6 is affected by CVE-2024-56470: a server-side request forgery (SSRF) that could allow an authenticated attacker to issue unauthorized requests from the appliance, potentially enabling network enumeration or enabling other moves. The IBM security bulletin confirms...
CVE-2024-38317
CVE-2024-38317 affects IBM Aspera Shares 1.9.0–1.10.0 PL6. A privileged user can embed arbitrary JavaScript in the Web UI, potentially disclosing credentials in a trusted session (XSS). IBM’s bulletin notes remediation: upgrade to 1.10.0 PL7 (Linux/Windows). No exploitation status provided in the...
CVE-2020-4731
CVE-2020-4731 affects IBM Aspera Shares/Web Application 1.9.14 Patch Level 1 and earlier, with a cross-site scripting (XSS) vulnerability that could embed arbitrary JavaScript in the Web UI and potentially disclose credentials in a trusted session. Root cause: XSS in the web UI as described in IB...
CVE-2024-38315
CVE-2024-38315 – IBM Aspera Shares session handling issue : IBM Aspera Shares versions 1.0.0 to 1.10.0 PL2 do not invalidate a user session after a password reset, which could allow an authenticated user to impersonate another user. Root cause: lack of session invalidation post-password reset. Af...
CVE-2025-66484
CVE-2025-66484 affects IBM Aspera Shares 1.9.9–1.11.0. A stored cross-site scripting vulnerability exists in the Web UI due to failure to adequately filter user input, allowing an attacker to embed arbitrary JavaScript and potentially cause credential disclosure within a trusted session. Remediat...
CVE-2025-66483
IBM Aspera Shares versions 1.9.9–1.11.0 are affected by an access control issue where a password reset does not invalidate the existing session, enabling an authenticated user to impersonate another user. The issue is documented across multiple sources (NVD, Red Hat, CNVD, EU ENISA, etc.) with th...
CVE-2025-66485
CVE-2025-66485 affects IBM Aspera Shares 1.9.9–1.11.0. The issue is HTTP header injection caused by improper HOST header validation, enabling attacks such as cross-site scripting, cache poisoning, and session hijacking. Remediation is available in IBM Aspera Shares 1.11.1 for Windows and Linux. T...
CVE-2025-66487
CVE-2025-66487 affects IBM Aspera Shares 1.9.9–1.11.0. The root cause is insufficient rate limiting on email sending by an authenticated user, leading to potential email flooding or a denial of service. The Red Hat and IBM advisories confirm the affected product/version range and describe the rem...
CVE-2025-13916
IBM Aspera Shares versions 1.9.9–1.11.0 are affected by a cryptographic weakness that could allow an attacker to decrypt highly sensitive information. The issue stems from weaker-than-expected cryptographic algorithms used by the service. Public advisories (IBM and CNVD) indicate the vulnerabilit...
CVE-2025-66486
IBM Aspera Shares versions 1.9.9–1.11.0 are vulnerable to HTML injection, enabling a remote attacker to inject HTML that runs in the victim’s browser within the site’s security context. The issue affects IBM Aspera Shares web application components and is addressed by upgrading to version 1.11.1 ...