CVE-2022-43845

IBM Aspera Console information disclosure

CVSS 3.7 LOWEPSS 0.4%CWE-1004

In short

IBM Aspera Console versions 3.4.0 to 3.4.4 have a security setting missing that protects cookies from being accessed by malicious websites. An attacker can steal sensitive information stored in cookies through a web-based attack.

Technical detail

The HTTPOnly flag is not set on cookies in IBM Aspera Console 3.4.0-3.4.4, allowing JavaScript execution in the browser context to access sensitive session cookies. This enables cross-site scripting (XSS) attacks to exfiltrate authentication tokens or session identifiers without requiring direct server compromise.

Summary generated and translated by AI from the official description.

IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected products

IBM · Aspera Console

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.ibm.com/support/pages/node/7169766