Stored Cross-Site Scripting Vulnerability in F5 Traffix SDC Configuration Utility
CVE-2022-27880

4.8MEDIUM

Key Information:

Vendor: F5
Status: Traffix Sdc
Vendor: CVE Published:; 5 May 2022

Summary

A stored Cross-Site Scripting (XSS) vulnerability exists in undisclosed pages of the F5 Traffix SDC Configuration utility. This flaw affects versions 5.2.x prior to 5.2.2 and 5.1.x prior to 5.1.35, allowing attackers to inject malicious JavaScript code that executes in the context of the currently logged-in user. This could lead to unauthorized actions and data leakage, while users are unaware as the attacks occur within their session.

Affected Version(s)

Traffix SDC 5.2.x < 5.2.2

Traffix SDC 5.1.x < 5.1.35

References

https://support.f5.com/csp/article/K17341495

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
May 5, 2022
Vulnerability Reserved
Apr 19, 2022

Credit

F5 acknowledges TIM Security Red Team Research, Valerio Alessandroni, Matteo Brutti, and Massimiliano Brolli for bringing this issue to our attention and following the highest standards of coordinated disclosure.