Stored Cross-Site Template Injection in F5 Traffix SDC Configuration Utility
CVE-2022-27662

4.8MEDIUM

Key Information:

Vendor: F5
Status: Traffix Sdc
Vendor: CVE Published:; 5 May 2022

Summary

A stored Cross-Site Template Injection vulnerability in F5 Traffix SDC allows attackers to execute malicious template language instructions on the server. This occurs in an undisclosed page of the Traffix SDC Configuration utility impacting specific versions. Proper security measures should be taken to mitigate this risk, including upgrading to supported versions to safeguard against potential exploitation.

Affected Version(s)

Traffix SDC 5.2.x < 5.2.2

Traffix SDC 5.1.x < 5.1.35

References

https://support.f5.com/csp/article/K24248011

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
May 5, 2022
Vulnerability Reserved
Apr 19, 2022

Credit

F5 acknowledges TIM Security Red Team Research, Valerio Alessandroni, Matteo Brutti, and Massimiliano Brolli for bringing this issue to our attention and following the highest standards of coordinated disclosure.