CVE-2014-4023

28.10.2014, 14:55

Cross-site scripting (XSS) vulnerability in tmui/dashboard/echo.jsp in the Configuration utility in F5 BIG-IP LTM, APM, ASM, GTM, and Link Controller 11.0.0 before 11.6.0 and 10.1.0 through 10.2.4, AAM 11.4.0 before 11.6.0, AFM and PEM 11.3.0 before 11.6.0, Analytics 11.0.0 through 11.5.1, Edge Gateway, WebAccelerator, and WOM 11.0.0 through 11.3.0 and 10.1.0 through 10.2.4, and PSM 11.0.0 through 11.4.1 and 10.1.0 through 10.2.4 and Enterprise Manager 3.0.0 through 3.1.1 and 2.1.0 through 2.3.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Vector
NIST	NIST	4.3 UNKNOWN	NETWORK	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N
mitre	CNA	---			---
CVE	ADP	---			---

Base Score

CVSS 3.x

EPSS Score

Percentile: 60%

Vendor	Product	Version
f5	big-ip_advanced_firewall_manager	11.3.0
f5	big-ip_advanced_firewall_manager	11.4.0
f5	big-ip_advanced_firewall_manager	11.4.1
f5	big-ip_advanced_firewall_manager	11.5.0
f5	big-ip_advanced_firewall_manager	11.5.1
f5	big-ip_policy_enforcement_manager	11.3.0
f5	big-ip_policy_enforcement_manager	11.4.0
f5	big-ip_policy_enforcement_manager	11.4.1
f5	big-ip_policy_enforcement_manager	11.5.0
f5	big-ip_policy_enforcement_manager	11.5.1
f5	big-ip_application_security_manager	10.1.0
f5	big-ip_application_security_manager	10.2.0
f5	big-ip_application_security_manager	10.2.1
f5	big-ip_application_security_manager	10.2.2
f5	big-ip_application_security_manager	10.2.3
f5	big-ip_application_security_manager	10.2.4
f5	big-ip_application_security_manager	11.0.0
f5	big-ip_application_security_manager	11.1.0
f5	big-ip_application_security_manager	11.2.0
f5	big-ip_application_security_manager	11.2.1
f5	big-ip_application_security_manager	11.3.0
f5	big-ip_application_security_manager	11.4.0
f5	big-ip_application_security_manager	11.4.1
f5	big-ip_application_security_manager	11.5.0
f5	big-ip_application_security_manager	11.5.1
f5	big-ip_application_acceleration_manager	11.4.0
f5	big-ip_application_acceleration_manager	11.4.1
f5	big-ip_application_acceleration_manager	11.5.0
f5	big-ip_application_acceleration_manager	11.5.1
f5	enterprise_manager	3.0.0
f5	enterprise_manager	3.1.0
f5	enterprise_manager	3.1.1
f5	enterprise_manager	2.1.0
f5	enterprise_manager	2.2.0
f5	enterprise_manager	2.3.0
f5	big-ip_edge_gateway	10.1.0
f5	big-ip_edge_gateway	10.2.0
f5	big-ip_edge_gateway	10.2.1
f5	big-ip_edge_gateway	10.2.2
f5	big-ip_edge_gateway	10.2.3
f5	big-ip_edge_gateway	10.2.4
f5	big-ip_edge_gateway	11.0.0
f5	big-ip_edge_gateway	11.1.0
f5	big-ip_edge_gateway	11.2.0
f5	big-ip_edge_gateway	11.2.1
f5	big-ip_edge_gateway	11.3.0
f5	big-ip_global_traffic_manager	10.1.0
f5	big-ip_global_traffic_manager	10.2.0
f5	big-ip_global_traffic_manager	10.2.1
f5	big-ip_global_traffic_manager	10.2.2
f5	big-ip_global_traffic_manager	10.2.3
f5	big-ip_global_traffic_manager	10.2.4
f5	big-ip_global_traffic_manager	11.0.0
f5	big-ip_global_traffic_manager	11.1.0
f5	big-ip_global_traffic_manager	11.2.0
f5	big-ip_global_traffic_manager	11.2.1
f5	big-ip_global_traffic_manager	11.3.0
f5	big-ip_global_traffic_manager	11.4.0
f5	big-ip_global_traffic_manager	11.4.1
f5	big-ip_global_traffic_manager	11.5.0
f5	big-ip_global_traffic_manager	11.5.1
f5	big-ip_link_controller	10.1.0
f5	big-ip_link_controller	10.2.0
f5	big-ip_link_controller	10.2.1
f5	big-ip_link_controller	10.2.2
f5	big-ip_link_controller	10.2.3
f5	big-ip_link_controller	10.2.4
f5	big-ip_link_controller	11.0.0
f5	big-ip_link_controller	11.1.0
f5	big-ip_link_controller	11.2.0
f5	big-ip_link_controller	11.2.1
f5	big-ip_link_controller	11.3.0
f5	big-ip_link_controller	11.4.0
f5	big-ip_link_controller	11.4.1
f5	big-ip_link_controller	11.5.0
f5	big-ip_link_controller	11.5.1
f5	big-ip_local_traffic_manager	10.1.0
f5	big-ip_local_traffic_manager	10.2.0
f5	big-ip_local_traffic_manager	10.2.1
f5	big-ip_local_traffic_manager	10.2.2
f5	big-ip_local_traffic_manager	10.2.3
f5	big-ip_local_traffic_manager	10.2.4
f5	big-ip_local_traffic_manager	11.0.0
f5	big-ip_local_traffic_manager	11.1.0
f5	big-ip_local_traffic_manager	11.2.0
f5	big-ip_local_traffic_manager	11.2.1
f5	big-ip_local_traffic_manager	11.3.0
f5	big-ip_local_traffic_manager	11.4.0
f5	big-ip_local_traffic_manager	11.4.1
f5	big-ip_local_traffic_manager	11.5.0
f5	big-ip_local_traffic_manager	11.5.1
f5	big-ip_access_policy_manager	10.1.0
f5	big-ip_access_policy_manager	10.2.0
f5	big-ip_access_policy_manager	10.2.1
f5	big-ip_access_policy_manager	10.2.2
f5	big-ip_access_policy_manager	10.2.3
f5	big-ip_access_policy_manager	10.2.4
f5	big-ip_access_policy_manager	11.0.0
f5	big-ip_access_policy_manager	11.1.0
f5	big-ip_access_policy_manager	11.2.0
f5	big-ip_access_policy_manager	11.2.1
f5	big-ip_access_policy_manager	11.3.0
f5	big-ip_access_policy_manager	11.4.0
f5	big-ip_access_policy_manager	11.4.1
f5	big-ip_access_policy_manager	11.5.0
f5	big-ip_access_policy_manager	11.5.1
f5	big-ip_protocol_security_module	10.1.0
f5	big-ip_protocol_security_module	10.2.0
f5	big-ip_protocol_security_module	10.2.1
f5	big-ip_protocol_security_module	10.2.2
f5	big-ip_protocol_security_module	10.2.3
f5	big-ip_protocol_security_module	10.2.4
f5	big-ip_protocol_security_module	11.0.0
f5	big-ip_protocol_security_module	11.1.0
f5	big-ip_protocol_security_module	11.2.0
f5	big-ip_protocol_security_module	11.2.1
f5	big-ip_protocol_security_module	11.3.0
f5	big-ip_protocol_security_module	11.4.0
f5	big-ip_protocol_security_module	11.4.1
f5	big-ip_webaccelerator	10.1.0
f5	big-ip_webaccelerator	10.2.0
f5	big-ip_webaccelerator	10.2.1
f5	big-ip_webaccelerator	10.2.2
f5	big-ip_webaccelerator	10.2.3
f5	big-ip_webaccelerator	10.2.4
f5	big-ip_webaccelerator	11.0.0
f5	big-ip_webaccelerator	11.1.0
f5	big-ip_webaccelerator	11.2.0
f5	big-ip_webaccelerator	11.2.1
f5	big-ip_webaccelerator	11.3.0
f5	big-ip_wan_optimization_manager	10.1.0
f5	big-ip_wan_optimization_manager	10.2.0
f5	big-ip_wan_optimization_manager	10.2.1
f5	big-ip_wan_optimization_manager	10.2.2
f5	big-ip_wan_optimization_manager	10.2.3
f5	big-ip_wan_optimization_manager	10.2.4
f5	big-ip_wan_optimization_manager	11.0.0
f5	big-ip_wan_optimization_manager	11.1.0
f5	big-ip_wan_optimization_manager	11.2.0
f5	big-ip_wan_optimization_manager	11.2.1
f5	big-ip_wan_optimization_manager	11.3.0
f5	big-ip_analytics	11.0.0
f5	big-ip_analytics	11.1.0
f5	big-ip_analytics	11.2.0
f5	big-ip_analytics	11.2.1
f5	big-ip_analytics	11.3.0
f5	big-ip_analytics	11.4.0
f5	big-ip_analytics	11.4.1
f5	big-ip_analytics	11.5.0
f5	big-ip_analytics	11.5.1

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

http://www.securitytracker.com/id/1030776

https://support.f5.com/kb/en-us/solutions/public/15000/500/sol15532.html

https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140828-F5_BIG-IP_Reflected_XSS_v10.txt

http://www.securitytracker.com/id/1030776

https://support.f5.com/kb/en-us/solutions/public/15000/500/sol15532.html

https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140828-F5_BIG-IP_Reflected_XSS_v10.txt