Vulnerability CVE-2016-7469


Published: 2017-06-09

Description:
A stored cross-site scripting (XSS) vulnerability in the Configuration utility device name change page in BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, PSM, WebAccelerator, WOM and WebSafe version 12.0.0 - 12.1.2, 11.4.0 - 11.6.1, and 11.2.1 allows an authenticated user to inject arbitrary web script or HTML. Exploitation requires Resource Administrator or Administrator privileges, and it could cause the Configuration utility client to become unstable.

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

Vendor: F5
Product: Enterprise manager 
Version: 3.1.1;
Product: Big-ip websafe 
Version:
12.1.2
12.1.1
12.1.0
12.0.0
11.6.1
11.6.0
See more versions on NVD
Product: Big-ip advanced firewall manager 
Version:
12.1.2
12.1.1
12.1.0
12.0.0
11.6.1
11.6.0
11.5.4
11.5.3
11.5.2
11.5.1
11.5.0
See more versions on NVD
Product: Big-ip policy enforcement manager 
Version:
12.1.2
12.1.1
12.1.0
12.0.0
11.6.1
11.6.0
11.5.4
11.5.3
11.5.2
11.5.1
See more versions on NVD
Product: Big-ip access policy manager 
Version:
12.1.2
12.1.1
12.1.0
12.0.0
11.6.1
11.6.0
11.5.4
11.5.3
11.5.2
11.5.1
See more versions on NVD
Product: Big-ip analytics 
Version:
12.1.2
12.1.1
12.1.0
12.0.0
11.6.1
11.6.0
11.5.4
11.5.3
11.5.2
11.5.1
See more versions on NVD
Product: Big-ip link controller 
Version:
12.1.2
12.1.1
12.1.0
12.0.0
11.6.1
11.6.0
11.5.4
11.5.3
11.5.2
11.5.1
11.5.0
See more versions on NVD
Product: Big-ip application acceleration manager 
Version:
12.1.2
12.1.1
12.1.0
12.0.0
11.6.1
11.6.0
11.5.4
11.5.3
11.5.2
11.5.1
See more versions on NVD
Product: Big-ip domain name system 
Version:
12.1.2
12.1.1
12.1.0
12.0.0
See more versions on NVD
Product: Big-ip local traffic manager 
Version:
12.1.2
12.1.1
12.1.0
12.0.0
11.6.1
11.6.0
11.5.4
11.5.3
11.5.2
11.5.1
11.5.0
See more versions on NVD
Product: Big-ip application security manager 
Version:
12.1.2
12.1.1
12.1.0
12.0.0
11.6.1
11.6.0
11.5.4
11.5.3
11.5.2
11.5.1
See more versions on NVD
Product: Big-ip global traffic manager 
Version:
11.6.1
11.6.0
11.5.4
11.5.3
11.5.2
11.5.1
See more versions on NVD

CVSS2 => (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
3.5/10
2.9/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://www.securityfocus.com/bid/95320
http://www.securitytracker.com/id/1037559
http://www.securitytracker.com/id/1037560
https://support.f5.com/csp/article/K97285349

Related CVE
CVE-2019-6656
BIG-IP APM Edge Client before version 7.1.8 (7180.2019.508.705) logs the full apm session ID in the log files. Vulnerable versions of the client are bundled with BIG-IP APM versions 15.0.0-15.0.1, 14,1.0-14.1.0.6, 14.0.0-14.0.0.4, 13.0.0-13.1.1.5, 12...
CVE-2019-6655
On versions 13.0.0-13.1.0.1, 12.1.0-12.1.4.1, 11.6.1-11.6.4, and 11.5.1-11.5.9, BIG-IP platforms where AVR, ASM, APM, PEM, AFM, and/or AAM is provisioned may leak sensitive data.
CVE-2019-6654
On versions 14.0.0-14.1.2, 13.0.0-13.1.3, 12.1.0-12.1.5, and 11.5.1-11.6.5, the BIG-IP system fails to perform Martian Address Filtering (As defined in RFC 1812 section 5.3.7) on the control plane (management interface). This may allow attackers on a...
CVE-2019-6653
There is a Stored Cross Site Scripting vulnerability in the undisclosed page of a BIG-IQ 6.0.0-6.1.0 or 5.2.0-5.4.0 system. The attack can be stored by users granted the Device Manager and Administrator roles.
CVE-2019-6652
In BIG-IQ 6.0.0-6.1.0, services for stats do not require authentication nor do they implement any form of Transport Layer Security (TLS).
CVE-2019-6651
In BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.5.1-11.6.4, BIG-IQ 7.0.0, 6.0.0-6.1.0,5.2.0-5.4.0, iWorkflow 2.3.0, and Enterprise Manager 3.1.1, the Configuration utility login page may not follow best securi...
CVE-2019-6650
F5 BIG-IP ASM 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 may expose sensitive information and allow the system configuration to be modified when using non-default settings.
CVE-2019-6649
F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-defa...

Copyright 2019, cxsecurity.com

 

Back to Top