Description
IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Published: 2026-04-01
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross-site scripting allowing arbitrary JavaScript execution within the trusted session of IBM Aspera Shares
Action: Patch immediately
AI Analysis

Impact

The vulnerability resides in IBM Aspera Shares versions 1.9.9 through 1.11.0 and permits attackers to embed malicious JavaScript code in the web interface. By doing so, an attacker can manipulate the UI and potentially capture credentials that are stored in the session of authenticated users. This stored cross‑site scripting flaw can be used to read sensitive data and compromise the confidentiality of user accounts.

Affected Systems

IBM Aspera Shares, specifically the 1.9.9, 1.10.x, and 1.11.0 releases, are affected. The issue is present in all platform builds, including Windows and Linux installations, as indicated by the CPE entries for each version.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity, and the EPSS score of less than 1% suggests that exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is via the web UI by submitting a payload that is stored and later executed in the context of the logged‑in user. It would require the victim to be authenticated with a trusted session to benefit from the credential theft.

Generated by OpenCVE AI on April 3, 2026 at 22:29 UTC.

Remediation

Vendor Solution

Product(s)Fixing VRMPlatformLink to FixIBM Aspera Shares1.11.1 Windows click here https://www.ibm.com/support/fixcentral/swg/selectFixes IBM Aspera Shares1.11.1 Linux click here https://www.ibm.com/support/fixcentral/swg/selectFixes

OpenCVE Recommended Actions

  • Apply the IBM fix for Aspera Shares 1.11.1 or newer using the IBM Fix Central links for Windows and Linux
  • Verify that the installed version is 1.11.1 or later and that the fix applies to your deployment
  • If a patch cannot be applied immediately, restrict write access to the web UI or disable features that accept user‑supplied input until the update is installed

Generated by OpenCVE AI on April 3, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ibm:aspera_shares:*:*:*:*:*:*:*:*

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Title Multiple vulnerabilities have been addressed in IBM Aspera Shares
First Time appeared Ibm
Ibm aspera Shares
CPEs cpe:2.3:a:ibm:aspera_shares:1.11.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:aspera_shares:1.9.9:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm aspera Shares
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Ibm Aspera Shares
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-04-02T13:49:58.262Z

Reserved: 2025-12-02T18:42:37.816Z

Link: CVE-2025-66484

cve-icon Vulnrichment

Updated: 2026-04-02T13:49:51.373Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T23:17:02.103

Modified: 2026-04-03T19:49:23.077

Link: CVE-2025-66484

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:56:24Z

Weaknesses