Summary This Security Bulletin addresses multiple vulnerabilities that have been remediated in IBM Aspera Console 3.4.5. Vulnerability Details ** CVEID: CVE-2024-40725 DESCRIPTION: **Apache HTTP Server allow a remote attacker to obtain sensitive information, caused by an incomplete fix for CVE-2024-39884 related to ignoring some use of the legacy content-type based configuration of handlers. By using AddType, an attacker could exploit this vulnerability, resulting in source code disclosure of local content. CVSS Base score: 5.9 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/298128 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) ** CVEID: CVE-2022-43850 DESCRIPTION: **IBM Aspera Console is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 4.6 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239226 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N) ** CVEID: CVE-2022-43840 DESCRIPTION: **IBM Aspera Console is vulnerable to an XPath injection vulnerability, which could allow an authenticated attacker to exfiltrate sensitive application data and/or determine the structure of the XML document. CVSS Base score: 4.3 CVSS Temporal Score: See: …Read More
References
Back to Main