CVE-2024-38315 – IBM Aspera Shares session fixation
https://notcve.org/view.php?id=CVE-2024-38315
IBM Aspera Shares 1.0 through 1.10.0 PL3 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system. • https://exchange.xforce.ibmcloud.com/vulnerabilities/294742 https://www.ibm.com/support/pages/node/7168379 • CWE-613: Insufficient Session Expiration •
CVE-2024-43180 – IBM Concert information disclosure
https://notcve.org/view.php?id=CVE-2024-43180
IBM Concert 1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. • https://exchange.xforce.ibmcloud.com/vulnerabilities/351213 https://www.ibm.com/support/pages/node/7168234 • CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute •
CVE-2024-45097 – IBM Aspera Faspex bypass security
https://notcve.org/view.php?id=CVE-2024-45097
IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user to bypass intended access restrictions and conduct resource modification. • https://www.ibm.com/support/pages/node/7167255 • CWE-650: Trusting HTTP Permission Methods on the Server Side •
CVE-2024-45096 – IBM Aspera Faspex information disclosure
https://notcve.org/view.php?id=CVE-2024-45096
IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user with access to the package to obtain sensitive information through a directory listing. • https://www.ibm.com/support/pages/node/7167255 • CWE-548: Exposure of Information Through Directory Listing •
CVE-2024-45098 – IBM Aspera Faspex bypass security
https://notcve.org/view.php?id=CVE-2024-45098
IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user to bypass intended access restrictions and conduct resource modification. • https://www.ibm.com/support/pages/node/7167255 • CWE-650: Trusting HTTP Permission Methods on the Server Side •