CVE-2016-9257

Published: May 9, 2017Modified: May 13, 2026

6.1

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

In F5 BIG-IP APM 12.0.0 through 12.1.2, non-authenticated users may be able to inject JavaScript into a request that will then be rendered and executed in the context of the Administrative user when the Administrative user is viewing the Access System Logs, allowing the non-authenticated user to carry out a Cross Site Scripting (XSS) attack against the Administrative user.

Affected (4)

Products: F5: Big Ip Access Policy Manager

1 product

Big Ip Access Policy Manager

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
F5 Big Ip Access Policy Manager	Version 12.0.0
F5 Big Ip Access Policy Manager	Version 12.1.0
F5 Big Ip Access Policy Manager	Version 12.1.1
F5 Big Ip Access Policy Manager	Version 12.1.2

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

http://www.securitytracker.com/id/1038416

Source: f5sirt@f5.com

https://support.f5.com/csp/article/K43523962

Source: f5sirt@f5.com

Vendor Advisory

http://www.securitytracker.com/id/1038416

Source: af854a3a-2127-422b-91ae-364da2661108

https://support.f5.com/csp/article/K43523962

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.