CVE-2025-66484

| EUVD-2025-209180 MEDIUM
2026-04-01 ibm GHSA-3927-xmmf-mw2x
5.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 01, 2026 - 23:16 vuln.today
EUVD ID Assigned
Apr 01, 2026 - 23:16 euvd
EUVD-2025-209180
Patch Released
Apr 01, 2026 - 23:16 nvd
Patch available
CVE Published
Apr 01, 2026 - 22:59 nvd
MEDIUM 5.5

Tags

IBM XSS

Description

IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Analysis

Stored cross-site scripting in IBM Aspera Shares 1.9.9 through 1.11.0 allows authenticated high-privilege users to inject arbitrary JavaScript into the Web UI, potentially enabling credential theft or session hijacking within trusted browser sessions. CVSS 5.5 reflects the requirement for elevated privileges but global scope impact; no public exploit or active exploitation confirmed.

Technical Context

IBM Aspera Shares is a web-based file collaboration platform. The vulnerability resides in insufficient input sanitization on user-controllable input stored within the Web UI application layer. Stored XSS vulnerabilities (CWE-79 class) occur when user-supplied data is persisted in a backend store (database, configuration, filesystem) and later rendered in a browser without proper output encoding. This differs from reflected XSS in that the malicious payload is re-executed for any user viewing the affected content, making it persistent across sessions. The attack vector is network-based with low complexity; however, the attack requires high-privilege user roles (PR:H per CVSS vector), significantly limiting the attack surface compared to unauthenticated XSS vulnerabilities. The resulting impact includes confidentiality and integrity loss (credential disclosure, functional alteration) within the scope of the Web application.

Affected Products

IBM Aspera Shares versions 1.9.9 through 1.11.0 are vulnerable (CPE: cpe:2.3:a:ibm:aspera_shares:*:*:*:*:*:*:*:*). All minor and patch releases within this range are in scope. Versions prior to 1.9.9 and after 1.11.0 are presumed unaffected pending confirmation from IBM's patched release notes.

Remediation

Upgrade IBM Aspera Shares to a version released after 1.11.0 that includes the stored XSS fix; consult IBM support pages node/7267848 for the exact patched version number and deployment instructions. If immediate upgrade is unavailable, restrict administrative and high-privilege user accounts to trusted networks via firewall rules or VPN, enforce multi-factor authentication on privileged accounts, and monitor Web UI input fields for suspicious JavaScript patterns. Apply the official patch from IBM as soon as it becomes available for your deployment model (on-premises or SaaS). Review IBM's advisory at https://www.ibm.com/support/pages/node/7267848 for version-specific guidance and rollback procedures if needed.

Priority Score

28
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +28
POC: 0

Share

CVE-2025-66484 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy