Cross-Site Scripting Vulnerability in F5 BIG-IP Products
CVE-2019-6600

6.1MEDIUM

Key Information:

Vendor: F5
Status: Big-ip (ltm, Aam, Afm, Analytics, Apm, Asm, Dns, Edge Gateway, Fps, Gtm, Link Controller, Pem, Webaccelerator)
Vendor: CVE Published:; 11 March 2019

What is CVE-2019-6600?

In specific versions of F5 BIG-IP, when remote authentication is enabled for administrative users and external users are assigned the 'guest' role, there is a potential for unsanitized values to be reflected back to the client through the login page. This susceptibility can expose unauthenticated clients to cross-site scripting attacks, allowing attackers to execute arbitrary scripts in the context of a user's session, which can result in unauthorized actions and sensitive data exposure.

Affected Version(s)

BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) 14.0.0-14.0.0.2, 13.0.0-13.1.1.3, 12.1.0-12.1.3.7, 11.6.1-11.6.3.2, 11.5.1-11.5.8

References

https://support.f5.com/csp/article/K23734425

x_refsource_CONFIRM

http://www.securityfocus.com/bid/107470

vdb-entryx_refsource_BID

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 11, 2019
Vulnerability Reserved
Jan 22, 2019