Stored Cross-Site Scripting Vulnerability in F5 BIG-IP Configuration Utility
CVE-2025-24320

5.1MEDIUM

Key Information:

Vendor: F5
Status: Big-ip
Vendor: CVE Published:; 5 February 2025

Summary

A stored cross-site scripting (XSS) vulnerability is present in an undisclosed page of the F5 BIG-IP Configuration utility. This flaw permits an attacker to execute JavaScript in the context of the currently logged-in user, potentially exposing sensitive data or compromising user sessions. The vulnerability arises from an incomplete fix related to a previous security issue, necessitating urgent attention to ensure robust defenses against unauthorized script execution.

Affected Version(s)

BIG-IP 17.1.0 < 17.1.2

BIG-IP 16.1.0 < 16.1.5.2

BIG-IP 15.1.0 < 15.1.10.6

References

https://my.f5.com/manage/s/article/K000140578

vendor-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Feb 5, 2025
Vulnerability Reserved
Jan 22, 2025

Credit

F5 acknowledges Lukasz Plonka for bringing this issue to our attention and following the highest standards of coordinated disclosure