Severity
Medium
Analysis Summary
CVE-2025-33138 CVSS:5.4
IBM Aspera Faspex is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site to show malicious content and/or redirect users to a malicious URL.
CVE-2025-33137 CVSS:7.1
IBM Aspera Faspex could allow a remote authenticated attacker to obtain sensitive information or perform unauthorized actions on behalf of another user due to client-side enforcement of server-side security.
CVE-2025-33136 CVSS:7.1
IBM Aspera Faspex could allow a remote authenticated attacker to obtain sensitive information or perform unauthorized actions on behalf of another user due to improper protection of assumed immutable data.
Impact
- Security Bypass
Indicators of Compromise
CVE
CVE-2025-33138
CVE-2025-33137
CVE-2025-33136
Affected Vendors
- IBM
Affected Products
- IBM Aspera Faspex - 5.0.0
- IBM Aspera Faspex - 5.0.12
Remediation
Refer to IBM Security Advisory for patch, upgrade, or suggested workaround information.