Vulnerabilities > F5 > BIG IP Policy Enforcement Manager

DATE CVE VULNERABILITY TITLE RISK
2018-10-19 CVE-2018-15312 Cross-site Scripting vulnerability in F5 products
On F5 BIG-IP 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, a reflected Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an authenticated user to execute JavaScript for the currently logged-in user.
network
low complexity
f5 CWE-79
6.1
2018-10-10 CVE-2018-15311 Unspecified vulnerability in F5 products
When F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.5, 11.6.0-11.6.3.2, or 11.5.1-11.5.6 is processing specially crafted TCP traffic with the Large Receive Offload (LRO) feature enabled, TMM may crash, leading to a failover event.
network
high complexity
f5
5.9
2018-10-08 CVE-2016-7475 Improper Input Validation vulnerability in F5 products
Under some circumstances on BIG-IP 12.0.0-12.1.0, 11.6.0-11.6.1, or 11.4.0-11.5.4 HF1, the Traffic Management Microkernel (TMM) may not properly clean-up pool member network connections when using SPDY or HTTP/2 virtual server profiles.
network
low complexity
f5 CWE-20
7.5
2018-09-06 CVE-2018-5391 Improper Input Validation vulnerability in multiple products
The Linux kernel, versions 3.9+, is vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly.
7.5
2018-08-06 CVE-2018-5390 Resource Exhaustion vulnerability in multiple products
Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service.
7.5
2018-07-25 CVE-2018-5542 Improper Input Validation vulnerability in F5 products
F5 BIG-IP 13.0.0-13.0.1, 12.1.0-12.1.3.6, or 11.2.1-11.6.3.2 HTTPS health monitors do not validate the identity of the monitored server.
network
high complexity
f5 CWE-20
8.1
2018-07-25 CVE-2018-5537 Improper Input Validation vulnerability in F5 products
A remote attacker may be able to disrupt services on F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.5, 11.6.0-11.6.3.1, or 11.2.1-11.5.6 if the TMM virtual server is configured with a HTML or a Rewrite profile.
network
high complexity
f5 CWE-20
5.3
2018-07-25 CVE-2018-5531 Improper Input Validation vulnerability in F5 products
Through undisclosed methods, on F5 BIG-IP 13.0.0-13.1.0.7, 12.1.0-12.1.3.5, 11.6.0-11.6.3.1, or 11.2.1-11.5.6, adjacent network attackers can cause a denial of service for VCMP guest and host systems.
low complexity
f5 CWE-20
7.4
2018-07-25 CVE-2018-5530 Resource Exhaustion vulnerability in F5 products
F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.5, or 11.6.0-11.6.3.1 virtual servers with HTTP/2 profiles enabled are vulnerable to "HPACK Bomb".
network
low complexity
f5 CWE-400
7.5
2018-07-19 CVE-2018-5535 Improper Input Validation vulnerability in F5 products
On F5 BIG-IP 14.0.0, 13.0.0-13.1.0, 12.1.0-12.1.3, or 11.5.1-11.6.3 specifically crafted HTTP responses, when processed by a Virtual Server with an associated QoE profile that has Video enabled, may cause TMM to incorrectly buffer response data causing the TMM to restart resulting in a Denial of Service.
network
low complexity
f5 CWE-20
7.5