CVE-2021-23037 — Cross-site Scripting in F5 Big-ip Access Policy Manager

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

9.6CRITICALNVD

EPSS

0.7%

top 27.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Big-ip Access Policy Manager F5 Big-ip Advanced Firewall Manager F5 Big-ip Analytics +8 more

Timeline

PublishedSep 14

Latest updateMay 24

Description

On all versions of 16.1.x, 16.0.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x, a reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 2.8 | Impact: 6.0

Affected Packages12 packages

▶NVDf5/big-ip_analytics11.6.0 — 11.6.5+5

▶NVDf5/big-ip_link_controller11.6.0 — 11.6.5+5

▶NVDf5/big-ip_domain_name_system11.6.0 — 11.6.5+5

▶NVDf5/big-ip_access_policy_manager11.6.0 — 11.6.5+5

▶NVDf5/big-ip_local_traffic_manager11.6.0 — 11.6.5+5

🔴Vulnerability Details

GHSA

GHSA-hm86-5wcm-m7h2: On all versions of 16↗2022-05-24

▶

CVEList

CVE-2021-23037: On all versions of 16↗2021-09-14

▶

📋Vendor Advisories

CVE-2021-23037: On all versions of 16↗2021-09-14

▶

External resources

NVD MITRE

Affected products11

F5 Big-ip Access Policy Manager≥ 11.6.0, ≤ 11.6.5≥ 12.1.0, ≤ 12.1.6≥ 13.1.0, ≤ 13.1.4+4 more

F5 Big-ip Advanced Firewall Manager≥ 11.6.0, ≤ 11.6.5≥ 12.1.0, ≤ 12.1.6≥ 13.1.0, ≤ 13.1.4+3 more

F5 Big-ip Analytics≥ 11.6.0, ≤ 11.6.5≥ 12.1.0, ≤ 12.1.6≥ 13.1.0, ≤ 13.1.4+3 more

F5 Big-ip Application Acceleration Manager≥ 11.6.0, ≤ 11.6.5≥ 12.1.0, ≤ 12.1.6≥ 13.1.0, ≤ 13.1.4+3 more

F5 Big-ip Application Security Manager≥ 11.6.0, ≤ 11.6.5≥ 12.1.0, ≤ 12.1.6≥ 13.1.0, ≤ 13.1.4+3 more

F5 Big-ip Domain Name System≥ 11.6.0, ≤ 11.6.5≥ 12.1.0, ≤ 12.1.6≥ 13.1.0, ≤ 13.1.4+3 more

F5 Big-ip Fraud Protection Service≥ 11.6.0, ≤ 11.6.5≥ 12.1.0, ≤ 12.1.6≥ 13.1.0, ≤ 13.1.4+3 more

F5 Big-ip Global Traffic Manager≥ 11.6.0, ≤ 11.6.5≥ 12.1.0, ≤ 12.1.6≥ 13.1.0, ≤ 13.1.4+3 more

F5 Big-ip Link Controller≥ 11.6.0, ≤ 11.6.5≥ 12.1.0, ≤ 12.1.6≥ 13.1.0, ≤ 13.1.4+3 more

F5 Big-ip Local Traffic Manager≥ 11.6.0, ≤ 11.6.5≥ 12.1.0, ≤ 12.1.6≥ 13.1.0, ≤ 13.1.4+3 more

Disclosure

PublishedSep 14, 2021

Latest updateMay 24, 2022