Vulnerabilities > F5 > BIG IQ Centralized Management
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-03-31 | CVE-2021-23006 | Cross-site Scripting vulnerability in F5 Big-Iq Centralized Management On all 7.x and 6.x versions (fixed in 8.0.0), undisclosed BIG-IQ pages have a reflected cross-site scripting vulnerability. | 6.1 |
| 2021-03-31 | CVE-2021-23005 | Unspecified vulnerability in F5 Big-Iq Centralized Management On all 7.x and 6.x versions (fixed in 8.0.0), when using a Quorum device for BIG-IQ high availability (HA) for automatic failover, BIG-IQ does not make use of Transport Layer Security (TLS) with the Corosync protocol. | 9.1 |
| 2021-03-31 | CVE-2021-22997 | Missing Authentication for Critical Function vulnerability in F5 Big-Iq Centralized Management On all 7.x and 6.x versions (fixed in 8.0.0), BIG-IQ HA ElasticSearch service does not implement any form of authentication for the clustering transport services, and all data used by ElasticSearch for transport is unencrypted. | 7.5 |
| 2021-03-31 | CVE-2021-22996 | Unspecified vulnerability in F5 Big-Iq Centralized Management 7.0.0/7.1.0/7.1.0.1 On all 7.x versions (fixed in 8.0.0), when set up for auto failover, a BIG-IQ Data Collection Device (DCD) cluster member that receives an undisclosed message may cause the corosync process to abort. | 7.5 |
| 2021-03-31 | CVE-2021-22995 | Missing Authentication for Critical Function vulnerability in F5 Big-Iq Centralized Management On all 7.x and 6.x versions (fixed in 8.0.0), BIG-IQ high availability (HA) when using a Quorum device for automatic failover does not implement any form of authentication with the Corosync daemon. | 7.5 |
| 2021-03-31 | CVE-2021-22986 | Server-Side Request Forgery (SSRF) vulnerability in F5 products On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. | 9.8 |
| 2021-02-12 | CVE-2021-22974 | Race Condition vulnerability in F5 products On BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, and 13.1.x before 13.1.3.6 and all versions of BIG-IQ 7.x and 6.x, an authenticated attacker with access to iControl REST over the control plane may be able to take advantage of a race condition to execute commands with an elevated privilege level. | 7.5 |
| 2020-11-05 | CVE-2020-5944 | Unspecified vulnerability in F5 Big-Iq Centralized Management 7.1.0 In BIG-IQ 7.1.0, accessing the DoS Summary events and DNS Overview pages in the BIG-IQ system interface returns an error message due to disabled Grafana reverse proxy in web service configuration. | 4.3 |
| 2020-09-25 | CVE-2020-5930 | Unspecified vulnerability in F5 products In BIG-IP 15.0.0-15.1.0.4, 14.1.0-14.1.2.7, 13.1.0-13.1.3.3, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2 and BIG-IQ 5.2.0-7.1.0, unauthenticated attackers can cause disruption of service via undisclosed methods. | 7.5 |
| 2020-08-26 | CVE-2020-5923 | Unspecified vulnerability in F5 products In BIG-IP versions 15.0.0-15.1.0.4, 14.1.0-14.1.2.6, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1 and BIG-IQ versions 5.4.0-7.0.0, Self-IP port-lockdown bypass via IPv6 link-local addresses. low complexity f5 | 5.4 |