CVE-2020-5950 — Cross-site Scripting in F5 Big-ip Advanced Firewall Manager

CWE-79 — Cross-site Scripting CWE-400 — Uncontrolled Resource Consumption5 documents5 sources

Severity

5.3MEDIUMNVD

EPSS

0.8%

top 25.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Big-ip Advanced Firewall Manager F5 Big-ip Access Policy Manager

Timeline

PublishedDec 11

Latest updateMay 24

Description

On BIG-IP 14.1.0-14.1.2.6, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the victim user is granted the admin role.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶NVDf5/big-ip_advanced_firewall_manager14.1.0 — 14.1.2.7

▶CVEListV5f5/big-ip_access_policy_manager14.1.0-14.1.2.6

▶CVEListV5f5/big-ip_advanced_firewall_manager14.1.0-14.1.2.6

🔴Vulnerability Details

GHSA

GHSA-rjcf-2qpv-xpv2: On BIG-IP 14↗2022-05-24

▶

CVEList

CVE-2020-5950: On BIG-IP 14↗2020-12-11

▶

💥Exploits & PoCs

Exploit-DB

Mailman 1.x > 2.1.23 - Cross Site Scripting (XSS)↗2020-10-29

▶

📋Vendor Advisories

CVE-2020-5950: On BIG-IP 14↗2020-12-11

▶