Vulnerabilities > F5

DATE CVE VULNERABILITY TITLE RISK
2018-10-19 CVE-2018-15312 Cross-site Scripting vulnerability in F5 products
On F5 BIG-IP 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, a reflected Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an authenticated user to execute JavaScript for the currently logged-in user.
network
low complexity
f5 CWE-79
6.1
2018-10-10 CVE-2018-15311 Unspecified vulnerability in F5 products
When F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.5, 11.6.0-11.6.3.2, or 11.5.1-11.5.6 is processing specially crafted TCP traffic with the Large Receive Offload (LRO) feature enabled, TMM may crash, leading to a failover event.
network
high complexity
f5
5.9
2018-10-08 CVE-2016-7475 Improper Input Validation vulnerability in F5 products
Under some circumstances on BIG-IP 12.0.0-12.1.0, 11.6.0-11.6.1, or 11.4.0-11.5.4 HF1, the Traffic Management Microkernel (TMM) may not properly clean-up pool member network connections when using SPDY or HTTP/2 virtual server profiles.
network
low complexity
f5 CWE-20
7.5
2018-09-13 CVE-2018-5549 Improper Input Validation vulnerability in F5 Big-Ip Access Policy Manager
On BIG-IP APM 11.6.0-11.6.3.1, 12.1.0-12.1.3.3, 13.0.0, and 13.1.0-13.1.0.3, APMD may core when processing SAML Assertion or response containing certain elements.
network
low complexity
f5 CWE-20
7.5
2018-09-13 CVE-2018-5548 Open Redirect vulnerability in F5 Big-Ip Access Policy Manager 11.6.1/11.6.2/11.6.3
On BIG-IP APM 11.6.0-11.6.3, an insecure AES ECB mode is used for orig_uri parameter in an undisclosed /vdesk link of APM virtual server configured with an access profile, allowing a malicious user to build a redirect URI value using different blocks of cipher texts.
network
low complexity
f5 CWE-601
6.1
2018-09-13 CVE-2018-5545 Improper Input Validation vulnerability in F5 Websafe Alert Server
On F5 WebSafe Alert Server 1.0.0-4.2.6, a malicious, authenticated user can execute code on the alert server by using a maliciously crafted payload.
network
low complexity
f5 CWE-20
8.8
2018-09-13 CVE-2018-15310 Information Exposure vulnerability in F5 Big-Ip Access Policy Manager
A vulnerability in BIG-IP APM portal access 11.5.1-11.5.7, 11.6.0-11.6.3, and 12.1.0-12.1.3 discloses the BIG-IP software version in rewritten pages.
network
low complexity
f5 CWE-200
4.3
2018-09-06 CVE-2018-5391 Improper Input Validation vulnerability in multiple products
The Linux kernel, versions 3.9+, is vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly.
7.5
2018-08-17 CVE-2018-5547 Missing Authorization vulnerability in F5 Big-Ip Access Policy Manager Client 7.1.6/7.1.6.1/7.1.7
Windows Logon Integration feature of F5 BIG-IP APM client prior to version 7.1.7.1 for Windows by default uses Legacy logon mode which uses a SYSTEM account to establish network access.
local
low complexity
f5 CWE-862
7.8
2018-08-17 CVE-2018-5546 Incorrect Permission Assignment for Critical Resource vulnerability in F5 products
The svpn and policyserver components of the F5 BIG-IP APM client prior to version 7.1.7.1 for Linux and macOS runs as a privileged process and can allow an unprivileged user to get ownership of files owned by root on the local client host.
local
low complexity
f5 CWE-732
7.8