Detections
Analytics
F5 Networks BIG-IP : XSS vulnerability in undisclosed TMUI page (K21042153)
medium Nessus Plugin ID 118640
Language:
Synopsis
The remote device is missing a vendor-supplied security patch.Description
A reflected Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the current logged-in user.(CVE-2018-15313)Impact
BIG-IP
A remote unauthenticated attacker could potentially exploit this vulnerability by sending a specific crafted URL that includes the specific target host name and malicious HTML or JavaScript code to a Configuration utility user, which is then reflected back to the victim and executed by the web browser. If the exploit is successful, an attacker can run JavaScript in the context of the currently logged-in user.
Enterprise Manager, BIG-IQ, iWorkflow, and Traffix SDC
There is no impact for these F5 products; they are not affected by this vulnerability.
Solution
Upgrade to one of the non-vulnerable versions listed in the F5 Solution K21042153.See Also
Plugin Details
Severity: Medium
ID: 118640
File Name: f5_bigip_SOL21042153.nasl
Version: 1.7
Type: local
Published: 11/2/2018
Updated: 11/2/2023
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.0
CVSS v2
Risk Factor: Medium
Base Score: 4.3
Temporal Score: 3.2
Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS Score Source: CVE-2018-15313
CVSS v3
Risk Factor: Medium
Base Score: 6.1
Temporal Score: 5.3
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:f5:big-ip_advanced_firewall_manager, cpe:/h:f5:big-ip
Required KB Items: Host/local_checks_enabled, Host/BIG-IP/hotfix, Host/BIG-IP/modules, Host/BIG-IP/version
Exploit Ease: No known exploits are available
Patch Publication Date: 10/18/2018
Vulnerability Publication Date: 10/19/2018
Reference Information
CVE: CVE-2018-15313