CVE-2016-7469

09.06.2017, 15:29

A stored cross-site scripting (XSS) vulnerability in the Configuration utility device name change page in BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, PSM, WebAccelerator, WOM and WebSafe version 12.0.0 - 12.1.2, 11.4.0 - 11.6.1, and 11.2.1 allows an authenticated user to inject arbitrary web script or HTML. Exploitation requires Resource Administrator or Administrator privileges, and it could cause the Configuration utility client to become unstable.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
f5	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 50%

Vendor	Product	Version
f5	big-ip_local_traffic_manager	11.2.1
f5	big-ip_local_traffic_manager	11.4.0
f5	big-ip_local_traffic_manager	11.4.1
f5	big-ip_local_traffic_manager	11.5.0
f5	big-ip_local_traffic_manager	11.5.1
f5	big-ip_local_traffic_manager	11.5.2
f5	big-ip_local_traffic_manager	11.5.3
f5	big-ip_local_traffic_manager	11.5.4
f5	big-ip_local_traffic_manager	11.6.0
f5	big-ip_local_traffic_manager	11.6.1
f5	big-ip_local_traffic_manager	12.0.0
f5	big-ip_local_traffic_manager	12.1.0
f5	big-ip_local_traffic_manager	12.1.1
f5	big-ip_local_traffic_manager	12.1.2
f5	big-ip_application_acceleration_manager	11.4.0
f5	big-ip_application_acceleration_manager	11.4.1
f5	big-ip_application_acceleration_manager	11.5.0
f5	big-ip_application_acceleration_manager	11.5.1
f5	big-ip_application_acceleration_manager	11.5.2
f5	big-ip_application_acceleration_manager	11.5.3
f5	big-ip_application_acceleration_manager	11.5.4
f5	big-ip_application_acceleration_manager	11.6.0
f5	big-ip_application_acceleration_manager	11.6.1
f5	big-ip_application_acceleration_manager	12.0.0
f5	big-ip_application_acceleration_manager	12.1.0
f5	big-ip_application_acceleration_manager	12.1.1
f5	big-ip_application_acceleration_manager	12.1.2
f5	big-ip_advanced_firewall_manager	11.2.1
f5	big-ip_advanced_firewall_manager	11.4.0
f5	big-ip_advanced_firewall_manager	11.4.1
f5	big-ip_advanced_firewall_manager	11.5.0
f5	big-ip_advanced_firewall_manager	11.5.1
f5	big-ip_advanced_firewall_manager	11.5.2
f5	big-ip_advanced_firewall_manager	11.5.3
f5	big-ip_advanced_firewall_manager	11.5.4
f5	big-ip_advanced_firewall_manager	11.6.0
f5	big-ip_advanced_firewall_manager	11.6.1
f5	big-ip_advanced_firewall_manager	12.0.0
f5	big-ip_advanced_firewall_manager	12.1.0
f5	big-ip_advanced_firewall_manager	12.1.1
f5	big-ip_advanced_firewall_manager	12.1.2
f5	big-ip_analytics	11.2.1
f5	big-ip_analytics	11.4.0
f5	big-ip_analytics	11.4.1
f5	big-ip_analytics	11.5.0
f5	big-ip_analytics	11.5.1
f5	big-ip_analytics	11.5.2
f5	big-ip_analytics	11.5.3
f5	big-ip_analytics	11.5.4
f5	big-ip_analytics	11.6.0
f5	big-ip_analytics	11.6.1
f5	big-ip_analytics	12.0.0
f5	big-ip_analytics	12.1.0
f5	big-ip_analytics	12.1.1
f5	big-ip_analytics	12.1.2
f5	big-ip_access_policy_manager	11.2.1
f5	big-ip_access_policy_manager	11.4.0
f5	big-ip_access_policy_manager	11.4.1
f5	big-ip_access_policy_manager	11.5.0
f5	big-ip_access_policy_manager	11.5.1
f5	big-ip_access_policy_manager	11.5.2
f5	big-ip_access_policy_manager	11.5.3
f5	big-ip_access_policy_manager	11.5.4
f5	big-ip_access_policy_manager	11.6.0
f5	big-ip_access_policy_manager	11.6.1
f5	big-ip_access_policy_manager	12.0.0
f5	big-ip_access_policy_manager	12.1.0
f5	big-ip_access_policy_manager	12.1.1
f5	big-ip_access_policy_manager	12.1.2
f5	big-ip_application_security_manager	11.2.1
f5	big-ip_application_security_manager	11.4.0
f5	big-ip_application_security_manager	11.4.1
f5	big-ip_application_security_manager	11.5.0
f5	big-ip_application_security_manager	11.5.1
f5	big-ip_application_security_manager	11.5.2
f5	big-ip_application_security_manager	11.5.3
f5	big-ip_application_security_manager	11.5.4
f5	big-ip_application_security_manager	11.6.0
f5	big-ip_application_security_manager	11.6.1
f5	big-ip_application_security_manager	12.0.0
f5	big-ip_application_security_manager	12.1.0
f5	big-ip_application_security_manager	12.1.1
f5	big-ip_application_security_manager	12.1.2
f5	big-ip_domain_name_system	12.0.0
f5	big-ip_domain_name_system	12.1.0
f5	big-ip_domain_name_system	12.1.1
f5	big-ip_domain_name_system	12.1.2
f5	big-ip_edge_gateway	11.2.1
f5	big-ip_global_traffic_manager	11.2.1
f5	big-ip_global_traffic_manager	11.4.0
f5	big-ip_global_traffic_manager	11.4.1
f5	big-ip_global_traffic_manager	11.5.0
f5	big-ip_global_traffic_manager	11.5.1
f5	big-ip_global_traffic_manager	11.5.2
f5	big-ip_global_traffic_manager	11.5.3
f5	big-ip_global_traffic_manager	11.5.4
f5	big-ip_global_traffic_manager	11.6.0
f5	big-ip_global_traffic_manager	11.6.1
f5	big-ip_link_controller	11.2.1
f5	big-ip_link_controller	11.4.0
f5	big-ip_link_controller	11.4.1
f5	big-ip_link_controller	11.5.0
f5	big-ip_link_controller	11.5.1
f5	big-ip_link_controller	11.5.2
f5	big-ip_link_controller	11.5.3
f5	big-ip_link_controller	11.5.4
f5	big-ip_link_controller	11.6.0
f5	big-ip_link_controller	11.6.1
f5	big-ip_link_controller	12.0.0
f5	big-ip_link_controller	12.1.0
f5	big-ip_link_controller	12.1.1
f5	big-ip_link_controller	12.1.2
f5	big-ip_policy_enforcement_manager	11.4.0
f5	big-ip_policy_enforcement_manager	11.4.1
f5	big-ip_policy_enforcement_manager	11.5.0
f5	big-ip_policy_enforcement_manager	11.5.1
f5	big-ip_policy_enforcement_manager	11.5.2
f5	big-ip_policy_enforcement_manager	11.5.3
f5	big-ip_policy_enforcement_manager	11.5.4
f5	big-ip_policy_enforcement_manager	11.6.0
f5	big-ip_policy_enforcement_manager	11.6.1
f5	big-ip_policy_enforcement_manager	12.0.0
f5	big-ip_policy_enforcement_manager	12.1.0
f5	big-ip_policy_enforcement_manager	12.1.1
f5	big-ip_policy_enforcement_manager	12.1.2
f5	big-ip_protocol_security_module	11.4.0
f5	big-ip_protocol_security_module	11.4.1
f5	big-ip_webaccelerator	11.2.1
f5	big-ip_websafe	11.6.0
f5	big-ip_websafe	11.6.1
f5	big-ip_websafe	12.0.0
f5	big-ip_websafe	12.1.0
f5	big-ip_websafe	12.1.1
f5	big-ip_websafe	12.1.2
f5	big-ip_wan_optimization_manager	11.2.1
f5	enterprise_manager	3.1.1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

http://www.securityfocus.com/bid/95320

http://www.securitytracker.com/id/1037559

http://www.securitytracker.com/id/1037560

https://support.f5.com/csp/article/K97285349

http://www.securityfocus.com/bid/95320

http://www.securitytracker.com/id/1037559

http://www.securitytracker.com/id/1037560

https://support.f5.com/csp/article/K97285349