Vulnerabilities > F5 > BIG IP Application Security Manager > Medium

DATE CVE VULNERABILITY TITLE RISK
2020-08-26 CVE-2020-5927 Cross-site Scripting vulnerability in F5 Big-Ip Application Security Manager
In versions 15.1.0-15.1.0.4, 15.0.0-15.0.1.3, and 14.1.0-14.1.2.6, BIG-IP ASM Configuration utility Stored-Cross Site Scripting.
network
low complexity
f5 CWE-79
6.1
6.1
2020-08-26 CVE-2020-5923 Unspecified vulnerability in F5 products
In BIG-IP versions 15.0.0-15.1.0.4, 14.1.0-14.1.2.6, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1 and BIG-IQ versions 5.4.0-7.0.0, Self-IP port-lockdown bypass via IPv6 link-local addresses.
low complexity
f5
5.4
5.4
2020-08-26 CVE-2020-5917 Inadequate Encryption Strength vulnerability in F5 products
In BIG-IP versions 15.1.0-15.1.0.4, 15.0.0-15.0.1.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.2 and BIG-IQ versions 5.2.0-7.0.0, the host OpenSSH servers utilize keys of less than 2048 bits which are no longer considered secure.
network
high complexity
f5 CWE-326
5.9
5.9
2020-08-26 CVE-2020-5916 Improper Privilege Management vulnerability in F5 products
In BIG-IP versions 15.1.0-15.1.0.4 and 15.0.0-15.0.1.3 the Certificate Administrator user role and higher privileged roles can perform arbitrary file reads outside of the web root directory.
network
low complexity
f5 CWE-269
6.8
6.8
2020-08-26 CVE-2020-5915 Cross-site Scripting vulnerability in F5 products
In BIG-IP versions 15.1.0-15.1.0.4, 15.0.0-15.0.1.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, an undisclosed TMUI page contains a vulnerability which allows a stored XSS when BIG-IP systems are setup in a device trust.
network
low complexity
f5 CWE-79
6.1
6.1
2020-07-01 CVE-2020-5905 Cross-site Scripting vulnerability in F5 products
In version 11.6.1-11.6.5.2 of the BIG-IP system Configuration utility Network > WCCP page, the system does not sanitize all user-provided data before display.
network
low complexity
f5 CWE-79
4.3
4.3
2020-07-01 CVE-2020-5903 Cross-site Scripting vulnerability in F5 products
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, a Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility.
network
low complexity
f5 CWE-79
6.1
6.1
2020-04-30 CVE-2020-5890 Information Exposure vulnerability in F5 products
On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, and 12.1.0-12.1.5.1 and BIG-IQ 5.2.0-7.1.0, when creating a QKView, credentials for binding to LDAP servers used for remote authentication of the BIG-IP administrative interface will not fully obfuscate if they contain whitespace.
local
low complexity
f5 CWE-200
5.5
5.5
2020-02-21 CVE-2013-3587 Information Exposure vulnerability in F5 products
The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929.
network
high complexity
f5 CWE-200
5.9
5.9
2020-02-06 CVE-2020-5854 Unspecified vulnerability in F5 products
On BIG-IP 15.0.0-15.0.1.1, 14.1.0-14.1.2.2, 14.0.0-14.0.1, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.6.0-11.6.5.1, the tmm crashes under certain circumstances when using the connector profile if a specific sequence of connections are made.
network
high complexity
f5
5.9
5.9