CVE-2016-9257 — Cross-site Scripting in F5 Big-ip Access Policy Manager

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.3%

top 47.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Networks INC Big-ip APM F5 Big-ip Access Policy Manager F5 Big-ip APM

Timeline

PublishedMay 9

Latest updateMay 17

Description

In F5 BIG-IP APM 12.0.0 through 12.1.2, non-authenticated users may be able to inject JavaScript into a request that will then be rendered and executed in the context of the Administrative user when the Administrative user is viewing the Access System Logs, allowing the non-authenticated user to carry out a Cross Site Scripting (XSS) attack against the Administrative user.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶NVDf5/big-ip_access_policy_manager4 versions+3

▶f5f5/big-ip_apm

▶CVEListV5f5_networks_inc/big-ip_apm12.0.0 through 12.1.2

🔴Vulnerability Details

GHSA

GHSA-p7v7-rhh4-c276: In F5 BIG-IP APM 12↗2022-05-17

▶

📋Vendor Advisories

CVE-2016-9257: In F5 BIG-IP APM 12↗2017-05-09

▶