Stored XSS vulnerability in BIG-IP Configuration utility
CVE-2024-31156

8HIGH

Key Information:

Vendor: F5
Status: Big-ip
Vendor: CVE Published:; 8 May 2024

Summary

The F5 BIG-IP Configuration utility possesses a stored cross-site scripting vulnerability that can be exploited via an undisclosed page. This vulnerability enables an attacker to inject and execute malicious JavaScript code within the context of a currently authenticated user, potentially compromising user data and application integrity. Notably, versions of the software that have reached End of Technical Support (EoTS) are not reviewed for this particular vulnerability.

Affected Version(s)

BIG-IP 17.1.0 < 17.1.1.3

BIG-IP 16.1.0 < 16.1.4.3

BIG-IP 15.1.0 < 15.1.10.4

References

https://my.f5.com/manage/s/article/K000138636

vendor-advisory

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
May 8, 2024
Vulnerability Reserved
Apr 24, 2024

Credit

F5 acknowledges Lukasz Plonka for bringing this issue to our attention and following the highest standards of coordinated disclosure.