Yannik Marchand

**Name of the Vulnerable Software and Affected Versions** IBM Aspera HSTS for CP4I versions 1.5.1 through 1.5.19 **Description** An authentication bypass allows a transfer client to access files in the server's local storage that should be restricted, provided that specific restriction settings are not configured. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM Aspera High-Speed Transfer Endpoint versions 3.7.4 through 4.4.7 Fix Pack 1 IBM Aspera High-Speed Transfer Server versions 3.7.4 through 4.4.7 Fix Pack 1 **Description** A buffer overflow exists in the `asperahttpd` component. This issue can be exploited to cause a denial of service and may potentially lead to authentication bypass or remote code execution. **Recommendations** Update IBM Aspera High-Speed Transfer Endpoint to a version later than 4.4.7 Fix Pack 1. Update IBM Aspera High-Speed Transfer Server to a version later than 4.4.7 Fix Pack 1.

**Name of the Vulnerable Software and Affected Versions** IBM Aspera High-Speed Transfer Endpoint versions 3.7.4 through 4.4.7 Fix Pack 1 IBM Aspera High-Speed Transfer Server versions 3.7.4 through 4.4.7 Fix Pack 1 **Description** A buffer overflow exists in the `asperahttpd` component. This issue allows an authenticated user to execute arbitrary code on the system. A buffer overflow occurs when a program writes more data to a block of memory, or buffer, than it is designed to hold, potentially overwriting adjacent memory locations. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM Aspera High-Speed Transfer Endpoint versions 3.7.4 through 4.4.7 Fix Pack 1 IBM Aspera High-Speed Transfer Server versions 3.7.4 through 4.4.7 Fix Pack 1 **Description** A potential denial of service exists in the `asperahttpd` component. An unauthenticated user can cause the `asperahttpd` service to crash. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affected by a potential arbitrary file read in the asperahttpd component. An authenticated user may be able to take advantage of this vulnerability to access files in the server’s local storage that they should not have access to.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 128 Thunderbird versions prior to 128 **Description** The issue is related to the console tab of the developer tools in Firefox, where CSP violations generate links pointing to the violating resource, causing a DNS prefetch that leaks information about the CSP violation. This could allow a remote attacker to access confidential data. **Recommendations** For Firefox versions prior to 128, update to version 128 or later to resolve the issue. For Thunderbird versions prior to 128, update to version 128 or later to resolve the issue.