CVE-2025-66483
Session Fixation in IBM Aspera Shares Allows User Impersonation
Publication date: 2026-04-01
Last updated on: 2026-04-06
Assigner: IBM Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibm | aspera_shares | From 1.9.9 (inc) to 1.11.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
IBM Aspera Shares versions 1.9.9 through 1.11.0 have a vulnerability where the system does not invalidate a user's session after a password reset.
This flaw could allow an authenticated user to impersonate another user on the system by continuing to use a session that should have been terminated.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an authenticated user to impersonate another user, potentially gaining unauthorized access to that user's data or privileges.
Because the session remains valid after a password reset, an attacker could maintain access even after the legitimate user attempts to secure their account.
The CVSS base score of 6.3 indicates a medium severity with potential impacts on confidentiality, integrity, and availability.