EUVD-2025-209184

| CVE-2025-66486 MEDIUM
2026-04-01 ibm GHSA-25px-gj7m-w9m3
4.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 01, 2026 - 23:16 vuln.today
EUVD ID Assigned
Apr 01, 2026 - 23:16 euvd
EUVD-2025-209184
Patch Released
Apr 01, 2026 - 23:16 nvd
Patch available
CVE Published
Apr 01, 2026 - 23:03 nvd
MEDIUM 4.8

Tags

IBM XSS

Description

IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.

Analysis

HTML injection in IBM Aspera Shares 1.9.9 through 1.11.0 allows authenticated remote attackers with high privileges to inject malicious HTML that executes in victim browsers within the hosting site's security context, requiring user interaction to view the injected content. CVSS 4.8 indicates low overall severity; patch is available from IBM.

Technical Context

The vulnerability is rooted in CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page), a form of stored or reflected HTML injection. IBM Aspera Shares, an enterprise file sharing platform, fails to properly sanitize or escape user-supplied input before rendering it in HTML responses. When an authenticated user with high privileges (PR:H per CVSS vector) injects malicious HTML, the application renders it without sufficient output encoding. Unlike traditional XSS flaws that target JavaScript execution, HTML injection allows injection of arbitrary HTML elements, attributes, and structures. The attack succeeds only when a victim views the injected content (UI:R required), limiting its reach compared to automatic exploitation vectors.

Affected Products

IBM Aspera Shares versions 1.9.9 through 1.11.0 are vulnerable, as indicated by CPE cpe:2.3:a:ibm:aspera_shares:*:*:*:*:*:*:*:*. The vendor advisory and patch are available at https://www.ibm.com/support/pages/node/7267848.

Remediation

Vendor-released patch available from IBM. Users should upgrade to the patched version released after 1.11.0 using the guidance provided in the IBM support advisory at https://www.ibm.com/support/pages/node/7267848. In the interim, restrict high-privilege account access and monitor for suspicious HTML injection attempts in audit logs. Ensure multi-factor authentication is enabled for administrative accounts to reduce the risk of privilege escalation from lower-privilege compromise.

Priority Score

24
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +24
POC: 0

Share

EUVD-2025-209184 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy