Vulnerabilities > F5 > BIG IP Advanced WEB Application Firewall

DATE CVE VULNERABILITY TITLE RISK
2023-10-10 CVE-2023-41964 Unspecified vulnerability in F5 products
The BIG-IP and BIG-IQ systems do not encrypt some sensitive information written to Database (DB) variables.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
low complexity
f5
6.5
2023-08-02 CVE-2023-38138 Unspecified vulnerability in F5 products
A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility which allows an attacker to run JavaScript in the context of the currently logged-in user.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
low complexity
f5
6.1
2023-08-02 CVE-2023-38423 Unspecified vulnerability in F5 products
A cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
low complexity
f5
5.4
2023-08-02 CVE-2023-3470 Improper Authentication vulnerability in F5 products
Specific F5 BIG-IP platforms with Cavium Nitrox FIPS HSM cards generate a deterministic password for the Crypto User account.
low complexity
f5 CWE-287
6.1
2023-05-03 CVE-2023-24594 Resource Exhaustion vulnerability in F5 products
When an SSL profile is configured on a Virtual Server, undisclosed traffic can cause an increase in CPU or SSL accelerator resource utilization.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
low complexity
f5 CWE-400
5.3
2023-05-03 CVE-2023-27378 Unspecified vulnerability in F5 products
Multiple reflected cross-site scripting (XSS) vulnerabilities exist in undisclosed pages of the BIG-IP Configuration utility which allow an attacker to run JavaScript in the context of the currently logged-in user.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
low complexity
f5
6.1
2023-05-03 CVE-2023-28406 Unspecified vulnerability in F5 products
A directory traversal vulnerability exists in an undisclosed page of the BIG-IP Configuration utility which may allow an authenticated attacker to read files with .xml extension.
network
low complexity
f5
4.3
2023-02-01 CVE-2023-23552 Resource Exhaustion vulnerability in F5 products
On versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.0 before 15.1.8, 14.1.x before 14.1.5.3, and all versions of 13.1.x, when a BIG-IP Advanced WAF or BIG-IP ASM security policy is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization.
network
low complexity
f5 CWE-400
7.5
2022-10-19 CVE-2022-41617 Unspecified vulnerability in F5 Big-Ip Application Security Manager
In versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and 13.1.x before 13.1.5.1, When the Advanced WAF / ASM module is provisioned, an authenticated remote code execution vulnerability exists in the BIG-IP iControl REST interface.
network
low complexity
f5
7.2
2022-10-19 CVE-2022-41691 Unspecified vulnerability in F5 Big-Ip Application Security Manager
When a BIG-IP Advanced WAF/ASM security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate.
network
low complexity
f5
7.5