BIG-IP TMUI XSS vulnerability

CVE-2023-27378

6.1MEDIUM

Key Information

Vendor
F5
Status
BIG-IP
Vendor
CVE Published:
3 May 2023

Summary

Multiple reflected cross-site scripting (XSS) vulnerabilities exist in undisclosed pages of the BIG-IP Configuration utility which allow an attacker to run JavaScript in the context of the currently logged-in user.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Affected Version(s)

BIG-IP < 17.1.0.1

BIG-IP < 17.0.0

BIG-IP < 16.1.3.4

Refferences

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database

Credit

F5 acknowledges Yuya Chudo of Secureworks Japan K. K. for bringing this issue to our attention and following the highest standards of coordinated disclosure.
.