CVE-2022-28716

Published: May 5, 2022Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

On 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x 11.6.x, a DOM-based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP AFM, CGNAT, and PEM Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Affected (18)

Products: F5: Big Ip Advanced Firewall Manager, Big Ip Carrier Grade Nat, Big Ip Policy Enforcement Manager

3 products

Big Ip Advanced Firewall Manager

Big Ip Carrier Grade Nat

Big Ip Policy Enforcement Manager

Configuration A

18 vulnerable

Vulnerable Software	Affected Versions
F5 Big Ip Advanced Firewall Manager	From 11.6.1 to 11.6.5
F5 Big Ip Advanced Firewall Manager	From 12.1.0 to 12.1.6
F5 Big Ip Advanced Firewall Manager	From 13.1.0 to 13.1.5
F5 Big Ip Advanced Firewall Manager	From 14.1.0 to 14.1.4.6
F5 Big Ip Advanced Firewall Manager	From 15.1.0 to 15.1.5.1
F5 Big Ip Advanced Firewall Manager	From 16.1.0 to 16.1.2.2
F5 Big Ip Carrier Grade Nat	From 11.6.1 to 11.6.5
F5 Big Ip Carrier Grade Nat	From 12.1.0 to 12.1.6
F5 Big Ip Carrier Grade Nat	From 13.1.0 to 13.1.5
F5 Big Ip Carrier Grade Nat	From 14.1.0 to 14.1.4.6
F5 Big Ip Carrier Grade Nat	From 15.1.0 to 15.1.5.1
F5 Big Ip Carrier Grade Nat	From 16.1.0 to 16.1.2.2
F5 Big Ip Policy Enforcement Manager	From 11.6.1 to 11.6.5
F5 Big Ip Policy Enforcement Manager	From 12.1.0 to 12.1.6
F5 Big Ip Policy Enforcement Manager	From 13.1.0 to 13.1.5
F5 Big Ip Policy Enforcement Manager	From 14.1.0 to 14.1.4.6
F5 Big Ip Policy Enforcement Manager	From 15.1.0 to 15.1.5.1
F5 Big Ip Policy Enforcement Manager	From 16.1.0 to 16.1.2.2

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://support.f5.com/csp/article/K25451853

Source: f5sirt@f5.com

MitigationVendor Advisory

https://support.f5.com/csp/article/K25451853

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationVendor Advisory

Timeline

No history available yet.