CVE-2022-43845 – IBM Aspera Console information disclosure
https://notcve.org/view.php?id=CVE-2022-43845
IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. • https://www.ibm.com/support/pages/node/7169766 • CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag •
CVE-2024-40703 – IBM Cognos Analytics information disclosure
https://notcve.org/view.php?id=CVE-2024-40703
IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and IBM Cognos Analytics Reports for iOS 11.0.0.7 could allow a local attacker to obtain sensitive information in the form of an API key. An attacker could use this information to launch further attacks against affected applications. • https://www.ibm.com/support/pages/node/7160700 https://www.ibm.com/support/pages/node/7168038 • CWE-522: Insufficiently Protected Credentials •
CVE-2024-38315 – IBM Aspera Shares session fixation
https://notcve.org/view.php?id=CVE-2024-38315
IBM Aspera Shares 1.0 through 1.10.0 PL3 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system. • https://exchange.xforce.ibmcloud.com/vulnerabilities/294742 https://www.ibm.com/support/pages/node/7168379 • CWE-613: Insufficient Session Expiration •
CVE-2024-43180 – IBM Concert information disclosure
https://notcve.org/view.php?id=CVE-2024-43180
IBM Concert 1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. • https://exchange.xforce.ibmcloud.com/vulnerabilities/351213 https://www.ibm.com/support/pages/node/7168234 • CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute •
CVE-2024-45097 – IBM Aspera Faspex bypass security
https://notcve.org/view.php?id=CVE-2024-45097
IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user to bypass intended access restrictions and conduct resource modification. • https://www.ibm.com/support/pages/node/7167255 • CWE-650: Trusting HTTP Permission Methods on the Server Side •