Vulnerabilities > F5 > BIG IP Fraud Protection Service > Medium

DATE CVE VULNERABILITY TITLE RISK
2021-09-14 CVE-2021-23043 Path Traversal vulnerability in F5 products
On BIG-IP, on all versions of 16.1.x, 16.0.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x, a directory traversal vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to access arbitrary files.
network
low complexity
f5 CWE-22
6.5
2021-09-14 CVE-2021-23041 Cross-site Scripting vulnerability in F5 products
On BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x, a DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the current logged-in user.
network
low complexity
f5 CWE-79
6.1
2021-03-31 CVE-2021-23007 Unspecified vulnerability in F5 products
On BIG-IP versions 14.1.4 and 16.0.1.1, when the Traffic Management Microkernel (TMM) process handles certain undisclosed traffic, it may start dropping all fragmented IP traffic.
network
low complexity
f5
5.3
2021-03-31 CVE-2021-23001 Unrestricted Upload of File with Dangerous Type vulnerability in F5 products
On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, the upload functionality in BIG-IP Advanced WAF and BIG-IP ASM allows an authenticated user to upload files to the BIG-IP system using a call to an undisclosed iControl REST endpoint.
network
low complexity
f5 CWE-434
4.3
2021-03-31 CVE-2021-22998 Unspecified vulnerability in F5 products
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, SYN flood protection thresholds are not enforced in secure network address translation (SNAT) listeners.
network
low complexity
f5
5.3
2021-03-31 CVE-2021-22994 Cross-site Scripting vulnerability in F5 products
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the victim user is granted the admin role.
network
low complexity
f5 CWE-79
6.1
2021-02-12 CVE-2021-22981 Unspecified vulnerability in F5 products
On all versions of BIG-IP 12.1.x and 11.6.x, the original TLS protocol includes a weakness in the master secret negotiation that is mitigated by the Extended Master Secret (EMS) extension defined in RFC 7627.
network
high complexity
f5
4.8
2021-02-12 CVE-2021-22979 Cross-site Scripting vulnerability in F5 products
On BIG-IP version 16.0.x before 16.0.1, 15.1.x before 15.1.1, 14.1.x before 14.1.2.8, 13.1.x before 13.1.3.5, and all 12.1.x versions, a reflected Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility when Fraud Protection Service is provisioned and allows an attacker to execute JavaScript in the context of the current logged-in user.
network
low complexity
f5 CWE-79
6.1
2020-12-24 CVE-2020-27727 Improper Input Validation vulnerability in F5 products
On BIG-IP version 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.3, and 13.1.0-13.1.3.4, when an authenticated administrative user installs RPMs using the iAppsLX REST installer, the BIG-IP system does not sufficiently validate user input, allowing the user read access to the filesystem.
network
low complexity
f5 CWE-20
4.9
2020-12-24 CVE-2020-27719 Cross-site Scripting vulnerability in F5 products
On BIG-IP 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, and 14.1.0-14.1.3, a cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility.
network
low complexity
f5 CWE-79
6.1