Vulnerabilities > F5 > BIG IP Analytics

DATE CVE VULNERABILITY TITLE RISK
2019-07-03 CVE-2019-6626 Cross-site Scripting vulnerability in F5 Big-Ip Advanced Firewall Manager
On BIG-IP (AFM, Analytics, ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.3.4, A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface (TMUI), also known as the Configuration utility.
network
low complexity
f5 CWE-79
6.1
2019-07-03 CVE-2019-6625 Cross-site Scripting vulnerability in F5 products
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.4, a reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface (TMUI) also known as the BIG-IP Configuration utility.
network
low complexity
f5 CWE-79
6.1
2019-07-02 CVE-2019-6623 Unspecified vulnerability in F5 products
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, undisclosed traffic sent to BIG-IP iSession virtual server may cause the Traffic Management Microkernel (TMM) to restart, resulting in a Denial-of-Service (DoS).
network
low complexity
f5
7.5
2019-07-02 CVE-2019-6624 Unspecified vulnerability in F5 products
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, an undisclosed traffic pattern sent to a BIG-IP UDP virtual server may lead to a denial-of-service (DoS).
network
low complexity
f5
7.5
2019-07-02 CVE-2019-6622 Command Injection vulnerability in F5 products
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, and 11.5.1-11.6.4, an undisclosed iControl REST worker is vulnerable to command injection by an administrator or resource administrator user.
network
low complexity
f5 CWE-77
7.2
2019-07-02 CVE-2019-6621 OS Command Injection vulnerability in F5 products
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, 11.6.1-11.6.3.4, and 11.5.2-11.5.8 and BIG-IQ 7.0.0-7.1.0.2, 6.0.0-6.1.0, and 5.1.0-5.4.0, an undisclosed iControl REST worker is vulnerable to command injection by an admin/resource admin user.
network
low complexity
f5 CWE-78
7.2
2019-07-02 CVE-2019-6620 OS Command Injection vulnerability in F5 products
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, and 11.5.1-11.6.4 and BIG-IQ 6.0.0-6.1.0 and 5.1.0-5.4.0, an undisclosed iControl REST worker vulnerable to command injection for an Administrator user.
network
low complexity
f5 CWE-78
7.2
2019-07-01 CVE-2019-6642 Unspecified vulnerability in F5 products
In BIG-IP 15.0.0, 14.0.0-14.1.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.2, and 11.5.2-11.6.4, BIG-IQ 6.0.0-6.1.0 and 5.1.0-5.4.0, iWorkflow 2.3.0, and Enterprise Manager 3.1.1, authenticated users with the ability to upload files (via scp, for example) can escalate their privileges to allow root shell access from within the TMOS Shell (tmsh) interface.
network
low complexity
f5
8.8
2019-06-19 CVE-2019-11479 Allocation of Resources Without Limits or Throttling vulnerability in multiple products
Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes.
network
low complexity
linux f5 canonical redhat CWE-770
7.5
2019-06-19 CVE-2019-11478 Resource Exhaustion vulnerability in multiple products
Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences.
network
low complexity
linux f5 canonical redhat pulsesecure ivanti CWE-400
7.5