CVE-2022-23013

Published: Jan 25, 2022Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

On BIG-IP DNS & GTM version 16.x before 16.1.0, 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x, a DOM-based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Affected (12)

Products: F5: Big Ip Domain Name System, Big Ip Global Traffic Manager

2 products

Big Ip Domain Name System

Big Ip Global Traffic Manager

Configuration A

12 vulnerable

Vulnerable Software	Affected Versions
F5 Big Ip Domain Name System	From 11.0.0 to 11.6.5
F5 Big Ip Domain Name System	From 12.0.0 to 12.1.6
F5 Big Ip Domain Name System	From 13.0.0 to 13.1.4
F5 Big Ip Domain Name System	From 14.0.0 to 14.1.4.4
F5 Big Ip Domain Name System	From 15.1.0 to 15.1.4
F5 Big Ip Domain Name System	From 16.0.0 to 16.1.0
F5 Big Ip Global Traffic Manager	From 11.0.0 to 11.6.5
F5 Big Ip Global Traffic Manager	From 12.0.0 to 12.1.6
F5 Big Ip Global Traffic Manager	From 13.0.0 to 13.1.4
F5 Big Ip Global Traffic Manager	From 14.0.0 to 14.1.4.4
F5 Big Ip Global Traffic Manager	From 15.1.0 to 15.1.4
F5 Big Ip Global Traffic Manager	From 16.0.0 to 16.1.0

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://support.f5.com/csp/article/K29500533

Source: f5sirt@f5.com

Vendor Advisory

https://support.f5.com/csp/article/K29500533

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.