CVE-2025-66484

Vulnerability

Overview

IBM Aspera Shares versions 1 Shares versions 1.9.9 through 1.11.0 contain a stored cross-site scripting (XSS) vulnerability. The root cause is insufficient sanitization of user-supplied input, allowing attackers to embed arbitrary JavaScript code that is stored on the server and later executed in the context of the Web UI [1]. This is a classic stored XSS flaw (CWE-79).

Exploitation

An authenticated user with the ability to submit data (e.g., via file uploads, comments, or configuration fields) can inject malicious scripts. No special network position is required beyond standard web access. The attack does not require social engineering of the victim beyond viewing the affected page, as the script executes automatically when the stored content is rendered [1].

Impact

Successful exploitation allows the attacker to alter the intended functionality of the Web UI, potentially leading to disclosure of sensitive session credentials (e.g., session tokens or cookies) within a trusted session. This could enable account takeover or further lateral movement within the application [1].

Mitigation

IBM has addressed this vulnerability in Aspera Shares version 1.11.1. Users are strongly recommends upgrading to this version. No workarounds are documented; applying the security update is the only remediation [1].