Vulnerabilities > F5 > BIG IP Access Policy Manager

DATE CVE VULNERABILITY TITLE RISK
2023-09-27 CVE-2023-43124 Cleartext Transmission of Sensitive Information vulnerability in F5 products
BIG-IP APM clients may send IP traffic outside of the VPN tunnel.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
low complexity
f5 CWE-319
7.1
2023-09-27 CVE-2023-43125 Cleartext Transmission of Sensitive Information vulnerability in F5 products
BIG-IP APM clients may send IP traffic outside of the VPN tunnel.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
network
low complexity
f5 CWE-319
8.2
2023-08-02 CVE-2023-36858 Insufficient Verification of Data Authenticity vulnerability in F5 products
An insufficient verification of data vulnerability exists in BIG-IP Edge Client for Windows and macOS that may allow an attacker to modify its configured server list.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
local
low complexity
f5 CWE-345
5.5
2023-08-02 CVE-2023-38138 Cross-site Scripting vulnerability in F5 products
A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility which allows an attacker to run JavaScript in the context of the currently logged-in user.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
low complexity
f5 CWE-79
6.1
2023-08-02 CVE-2023-38418 Improper Verification of Cryptographic Signature vulnerability in F5 Big-Ip Access Policy Manager
The BIG-IP Edge Client Installer on macOS does not follow best practices for elevating privileges during the installation process.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
local
low complexity
f5 CWE-347
7.8
2023-08-02 CVE-2023-38419 Improper Handling of Exceptional Conditions vulnerability in F5 products
An authenticated attacker with guest privileges or higher can cause the iControl SOAP process to terminate by sending undisclosed requests.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
low complexity
f5 CWE-755
4.3
2023-08-02 CVE-2023-38423 Cross-site Scripting vulnerability in F5 products
A cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
low complexity
f5 CWE-79
5.4
2023-08-02 CVE-2023-3470 Improper Authentication vulnerability in F5 products
Specific F5 BIG-IP platforms with Cavium Nitrox FIPS HSM cards generate a deterministic password for the Crypto User account.
low complexity
f5 CWE-287
6.1
2023-05-03 CVE-2023-22372 Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability in F5 Big-Ip Access Policy Manager
In the pre connection stage, an improper enforcement of message integrity vulnerability exists in BIG-IP Edge Client for Windows and Mac OS.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
high complexity
f5 CWE-924
5.9
2023-05-03 CVE-2023-24461 Improper Certificate Validation vulnerability in F5 Big-Ip Access Policy Manager
An improper certificate validation vulnerability exists in the BIG-IP Edge Client for Windows and macOS and may allow an attacker to impersonate a BIG-IP APM system.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
high complexity
f5 CWE-295
5.9