Aspera Shares
Sign in to watchby IBM
CVEs (9)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-66483 | Med | 0.41 | 6.3 | 0.00 | Apr 1, 2026 | IBM Aspera Shares 1.9.9 through 1.11.0 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system. | |
| CVE-2025-13916 | Med | 0.38 | 5.9 | 0.00 | Apr 1, 2026 | IBM Aspera Shares 1.9.9 through 1.11.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information | |
| CVE-2025-66484 | Med | 0.36 | 5.5 | 0.00 | Apr 1, 2026 | IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |
| CVE-2025-66485 | Med | 0.35 | 5.4 | 0.00 | Apr 1, 2026 | IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. | |
| CVE-2025-66486 | Med | 0.31 | 4.8 | 0.00 | Apr 1, 2026 | IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. | |
| CVE-2025-66487 | Low | 0.18 | 2.7 | 0.00 | Apr 1, 2026 | IBM Aspera Shares 1.9.9 through 1.11.0 does not properly rate limit the frequency that an authenticated user can send emails, which could result in email flooding or a denial of service. | |
| CVE-2025-0162 | 0.00 | — | 0.00 | Mar 7, 2025 | IBM Aspera Shares 1.9.9 through 1.10.0 PL7 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | ||
| CVE-2024-38315 | 0.00 | — | 0.00 | Sep 16, 2024 | IBM Aspera Shares 1.0 through 1.10.0 PL3 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system. | ||
| CVE-2023-38018 | 0.00 | — | 0.00 | Aug 9, 2024 | IBM Aspera Shares 1.10.0 PL2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 260574. |