Aspera Console
by IBM
CVEs (18)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-38927 | Hig | 0.47 | 7.2 | 0.00 | Dec 25, 2023 | IBM Aspera Console 3.4.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: … | ||
| CVE-2025-13212 | 0.00 | — | 0.00 | Mar 13, 2026 | IBM Aspera Console 3.3.0 through 3.4.8 could allow an authenticated user to cause a denial of service in the email service due to improper control of interaction frequency. | |||
| CVE-2025-13459 | 0.00 | — | 0.00 | Mar 13, 2026 | IBM Aspera Console 3.3.0 through 3.4.8 could allow a privileged user to cause a denial of service due to improper enforcement of behavioral workflow. | |||
| CVE-2025-13460 | 0.00 | — | 0.00 | Mar 13, 2026 | IBM Aspera Console 3.3.0 through 3.4.8 could allow an attacker to enumerate usernames due to an observable response discrepancy. | |||
| CVE-2025-13379 | 0.00 | — | 0.00 | Feb 5, 2026 | IBM Aspera Console 3.4.0 through 3.4.8 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database. | |||
| CVE-2025-13925 | 0.00 | — | 0.00 | Jan 20, 2026 | IBM Aspera Console 3.4.7 stores potentially sensitive information in log files that could be read by a local privileged user. | |||
| CVE-2022-43850 | 0.00 | — | 0.00 | Apr 14, 2025 | IBM Aspera Console 3.4.0 through 3.4.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||
| CVE-2022-43840 | 0.00 | — | 0.00 | Apr 14, 2025 | IBM Aspera Console 3.4.0 through 3.4.4 is vulnerable to an XPath injection vulnerability, which could allow an authenticated attacker to exfiltrate sensitive application data and/or determine the structure of the XML document. | |||
| CVE-2022-43851 | 0.00 | — | 0.00 | Apr 14, 2025 | IBM Aspera Console 3.4.0 through 3.4.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | |||
| CVE-2023-27272 | 0.00 | — | 0.00 | Apr 14, 2025 | IBM Aspera Console 3.4.0 through 3.4.4 allows passwords to be reused when a new user logs into the system. | |||
| CVE-2022-43852 | 0.00 | — | 0.00 | Apr 14, 2025 | IBM Aspera Console 3.4.0 through 3.4.4 could disclose sensitive information in HTTP headers that could be used in further attacks against the system. | |||
| CVE-2022-43847 | 0.00 | — | 0.00 | Apr 14, 2025 | IBM Aspera Console 3.4.0 through 3.4.4 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or… | |||
| CVE-2021-38963 | 0.00 | — | 0.01 | Sep 24, 2024 | IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a CSV injection vulnerability. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to execute… | |||
| CVE-2022-43845 | 0.00 | — | 0.00 | Sep 24, 2024 | IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. | |||
| CVE-2022-43841 | 0.00 | — | 0.00 | May 30, 2024 | IBM Aspera Console 3.4.0 through 3.4.2 PL9 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 239078. | |||
| CVE-2022-43575 | 0.00 | — | 0.00 | May 30, 2024 | IBM Aspera Console 3.4.0 through 3.4.2 PL5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. … | |||
| CVE-2022-43384 | 0.00 | — | 0.00 | May 30, 2024 | IBM Aspera Console 3.4.0 through 3.4.2 PL5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. … | |||
| CVE-2022-43842 | 0.00 | — | 0.01 | Feb 23, 2024 | IBM Aspera Console 3.4.0 through 3.4.2 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 239079. |
- risk 0.47cvss 7.2epss 0.00
IBM Aspera Console 3.4.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: …
- CVE-2025-13212Mar 13, 2026risk 0.00cvss —epss 0.00
IBM Aspera Console 3.3.0 through 3.4.8 could allow an authenticated user to cause a denial of service in the email service due to improper control of interaction frequency.
- CVE-2025-13459Mar 13, 2026risk 0.00cvss —epss 0.00
IBM Aspera Console 3.3.0 through 3.4.8 could allow a privileged user to cause a denial of service due to improper enforcement of behavioral workflow.
- CVE-2025-13460Mar 13, 2026risk 0.00cvss —epss 0.00
IBM Aspera Console 3.3.0 through 3.4.8 could allow an attacker to enumerate usernames due to an observable response discrepancy.
- CVE-2025-13379Feb 5, 2026risk 0.00cvss —epss 0.00
IBM Aspera Console 3.4.0 through 3.4.8 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.
- CVE-2025-13925Jan 20, 2026risk 0.00cvss —epss 0.00
IBM Aspera Console 3.4.7 stores potentially sensitive information in log files that could be read by a local privileged user.
- CVE-2022-43850Apr 14, 2025risk 0.00cvss —epss 0.00
IBM Aspera Console 3.4.0 through 3.4.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
- CVE-2022-43840Apr 14, 2025risk 0.00cvss —epss 0.00
IBM Aspera Console 3.4.0 through 3.4.4 is vulnerable to an XPath injection vulnerability, which could allow an authenticated attacker to exfiltrate sensitive application data and/or determine the structure of the XML document.
- CVE-2022-43851Apr 14, 2025risk 0.00cvss —epss 0.00
IBM Aspera Console 3.4.0 through 3.4.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
- CVE-2023-27272Apr 14, 2025risk 0.00cvss —epss 0.00
IBM Aspera Console 3.4.0 through 3.4.4 allows passwords to be reused when a new user logs into the system.
- CVE-2022-43852Apr 14, 2025risk 0.00cvss —epss 0.00
IBM Aspera Console 3.4.0 through 3.4.4 could disclose sensitive information in HTTP headers that could be used in further attacks against the system.
- CVE-2022-43847Apr 14, 2025risk 0.00cvss —epss 0.00
IBM Aspera Console 3.4.0 through 3.4.4 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or…
- CVE-2021-38963Sep 24, 2024risk 0.00cvss —epss 0.01
IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a CSV injection vulnerability. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to execute…
- CVE-2022-43845Sep 24, 2024risk 0.00cvss —epss 0.00
IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie.
- CVE-2022-43841May 30, 2024risk 0.00cvss —epss 0.00
IBM Aspera Console 3.4.0 through 3.4.2 PL9 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 239078.
- CVE-2022-43575May 30, 2024risk 0.00cvss —epss 0.00
IBM Aspera Console 3.4.0 through 3.4.2 PL5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. …
- CVE-2022-43384May 30, 2024risk 0.00cvss —epss 0.00
IBM Aspera Console 3.4.0 through 3.4.2 PL5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. …
- CVE-2022-43842Feb 23, 2024risk 0.00cvss —epss 0.01
IBM Aspera Console 3.4.0 through 3.4.2 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 239079.