Aspera Faspex 5
by IBM
CVEs (46)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-47986 | 0.29 | — | 1.00 | KEV | Feb 17, 2023 | IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary… | ||
| CVE-2025-36226 | 0.00 | — | 0.00 | Mar 10, 2026 | IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a… | |||
| CVE-2025-36227 | 0.00 | — | 0.00 | Mar 10, 2026 | IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning… | |||
| CVE-2025-36230 | 0.00 | — | 0.00 | Dec 26, 2025 | IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. | |||
| CVE-2025-36229 | 0.00 | — | 0.00 | Dec 26, 2025 | IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 could allow authenticated users to enumerate sensitive information of data due by enumerating package identifiers. | |||
| CVE-2025-36228 | 0.00 | — | 0.00 | Dec 26, 2025 | IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 may allow inconsistent permissions between the user interface and backend API allowed users to access features that appeared disabled, potentially leading to misuse. | |||
| CVE-2025-36171 | 0.00 | — | 0.00 | Oct 9, 2025 | IBM Aspera Faspex 5.0.0 through 5.0.13.1 could allow a privileged user to cause a denial of service from improperly validated API input due to excessive resource consumption. | |||
| CVE-2025-36225 | 0.00 | — | 0.00 | Oct 9, 2025 | IBM Aspera 5.0.0 through 5.0.13.1 could disclose sensitive user information from the system to an authenticated user due to an observable discrepancy of returned data. | |||
| CVE-2023-37401 | 0.00 | — | 0.00 | Oct 9, 2025 | IBM Aspera Faspex 5.0.0 through 5.0.13.1 uses a cross-domain policy file that includes domains that should not be trusted. | |||
| CVE-2025-36040 | 0.00 | — | 0.00 | Jul 30, 2025 | IBM Aspera Faspex 5.0.0 through 5.0.12.1 could allow an authenticated user to perform unauthorized actions due to client-side enforcement of sever side security mechanisms. | |||
| CVE-2025-36039 | 0.00 | — | 0.00 | Jul 30, 2025 | IBM Aspera Faspex 5.0.0 through 5.0.12.1 could allow an authenticated user to perform unauthorized actions due to client-side enforcement of sever side security mechanisms, | |||
| CVE-2025-33138 | 0.00 | — | 0.00 | May 22, 2025 | IBM Aspera Faspex 5.0.0 through 5.0.12 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. | |||
| CVE-2025-33137 | 0.00 | — | 0.00 | May 22, 2025 | IBM Aspera Faspex 5.0.0 through 5.0.12 could allow an authenticated user to obtain sensitive information or perform unauthorized actions on behalf of another user due to client-side enforcement of server-side security. | |||
| CVE-2025-33136 | 0.00 | — | 0.00 | May 22, 2025 | IBM Aspera Faspex 5.0.0 through 5.0.12 could allow an authenticated user to obtain sensitive information or perform unauthorized actions on behalf of another user due to improper protection of assumed immutable data. | |||
| CVE-2025-3423 | 0.00 | — | 0.00 | Apr 13, 2025 | IBM Aspera Faspex 5.0.0 through 5.0.11 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted… | |||
| CVE-2023-35907 | 0.00 | — | 0.00 | Jan 29, 2025 | IBM Aspera Faspex 5.0.0 through 5.0.10 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. | |||
| CVE-2023-37413 | 0.00 | — | 0.00 | Jan 29, 2025 | IBM Aspera Faspex 5.0.0 through 5.0.10 could disclose sensitive username information due to an observable response discrepancy. | |||
| CVE-2023-37398 | 0.00 | — | 0.00 | Jan 29, 2025 | IBM Aspera Faspex 5.0.0 through 5.0.10 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. | |||
| CVE-2023-37412 | 0.00 | — | 0.00 | Jan 29, 2025 | IBM Aspera Faspex 5.0.0 through 5.0.10 could allow a privileged user to make system changes without proper access controls. | |||
| CVE-2023-37395 | 0.00 | — | 0.00 | Dec 11, 2024 | IBM Aspera Faspex 5.0.0 through 5.0.7 could allow a local user to obtain sensitive information due to improper encryption of certain data. |
- risk 0.29cvss —epss 1.00
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary…
- CVE-2025-36226Mar 10, 2026risk 0.00cvss —epss 0.00
IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a…
- CVE-2025-36227Mar 10, 2026risk 0.00cvss —epss 0.00
IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning…
- CVE-2025-36230Dec 26, 2025risk 0.00cvss —epss 0.00
IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.
- CVE-2025-36229Dec 26, 2025risk 0.00cvss —epss 0.00
IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 could allow authenticated users to enumerate sensitive information of data due by enumerating package identifiers.
- CVE-2025-36228Dec 26, 2025risk 0.00cvss —epss 0.00
IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 may allow inconsistent permissions between the user interface and backend API allowed users to access features that appeared disabled, potentially leading to misuse.
- CVE-2025-36171Oct 9, 2025risk 0.00cvss —epss 0.00
IBM Aspera Faspex 5.0.0 through 5.0.13.1 could allow a privileged user to cause a denial of service from improperly validated API input due to excessive resource consumption.
- CVE-2025-36225Oct 9, 2025risk 0.00cvss —epss 0.00
IBM Aspera 5.0.0 through 5.0.13.1 could disclose sensitive user information from the system to an authenticated user due to an observable discrepancy of returned data.
- CVE-2023-37401Oct 9, 2025risk 0.00cvss —epss 0.00
IBM Aspera Faspex 5.0.0 through 5.0.13.1 uses a cross-domain policy file that includes domains that should not be trusted.
- CVE-2025-36040Jul 30, 2025risk 0.00cvss —epss 0.00
IBM Aspera Faspex 5.0.0 through 5.0.12.1 could allow an authenticated user to perform unauthorized actions due to client-side enforcement of sever side security mechanisms.
- CVE-2025-36039Jul 30, 2025risk 0.00cvss —epss 0.00
IBM Aspera Faspex 5.0.0 through 5.0.12.1 could allow an authenticated user to perform unauthorized actions due to client-side enforcement of sever side security mechanisms,
- CVE-2025-33138May 22, 2025risk 0.00cvss —epss 0.00
IBM Aspera Faspex 5.0.0 through 5.0.12 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.
- CVE-2025-33137May 22, 2025risk 0.00cvss —epss 0.00
IBM Aspera Faspex 5.0.0 through 5.0.12 could allow an authenticated user to obtain sensitive information or perform unauthorized actions on behalf of another user due to client-side enforcement of server-side security.
- CVE-2025-33136May 22, 2025risk 0.00cvss —epss 0.00
IBM Aspera Faspex 5.0.0 through 5.0.12 could allow an authenticated user to obtain sensitive information or perform unauthorized actions on behalf of another user due to improper protection of assumed immutable data.
- CVE-2025-3423Apr 13, 2025risk 0.00cvss —epss 0.00
IBM Aspera Faspex 5.0.0 through 5.0.11 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted…
- CVE-2023-35907Jan 29, 2025risk 0.00cvss —epss 0.00
IBM Aspera Faspex 5.0.0 through 5.0.10 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts.
- CVE-2023-37413Jan 29, 2025risk 0.00cvss —epss 0.00
IBM Aspera Faspex 5.0.0 through 5.0.10 could disclose sensitive username information due to an observable response discrepancy.
- CVE-2023-37398Jan 29, 2025risk 0.00cvss —epss 0.00
IBM Aspera Faspex 5.0.0 through 5.0.10 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts.
- CVE-2023-37412Jan 29, 2025risk 0.00cvss —epss 0.00
IBM Aspera Faspex 5.0.0 through 5.0.10 could allow a privileged user to make system changes without proper access controls.
- CVE-2023-37395Dec 11, 2024risk 0.00cvss —epss 0.00
IBM Aspera Faspex 5.0.0 through 5.0.7 could allow a local user to obtain sensitive information due to improper encryption of certain data.
Page 1 of 3