Vulnerabilities > F5 > Medium

DATE CVE VULNERABILITY TITLE RISK
2024-11-06 CVE-2024-10318 Session Fixation vulnerability in F5 products
A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time.
network
low complexity
f5 CWE-384
5.4
2024-08-14 CVE-2024-37028 Improper Authentication vulnerability in F5 Big-Ip Next Central Manager
BIG-IP Next Central Manager may allow an attacker to lock out an account that has never been logged in.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
low complexity
f5 CWE-287
5.3
2024-08-14 CVE-2024-41719 Information Exposure Through Log Files vulnerability in F5 Big-Ip Next Central Manager
When generating QKView of BIG-IP Next instance from the BIG-IP Next Central Manager (CM), F5 iHealth credentials will be logged in the BIG-IP Central Manager logs.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
local
low complexity
f5 CWE-532
5.5
2024-08-14 CVE-2024-41723 Unspecified vulnerability in F5 products
Undisclosed requests to BIG-IP iControl REST can lead to information leak of user account names.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
low complexity
f5
4.3
2024-08-14 CVE-2024-7347 Out-of-bounds Read vulnerability in F5 Nginx Open Source and Nginx Plus
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file.
local
high complexity
f5 CWE-125
4.7
2023-10-10 CVE-2023-41964 Unspecified vulnerability in F5 products
The BIG-IP and BIG-IQ systems do not encrypt some sensitive information written to Database (DB) variables.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
low complexity
f5
6.5
2023-08-02 CVE-2023-36494 Information Exposure Through Log Files vulnerability in F5 F5Os-A 1.4.0
Audit logs on F5OS-A may contain undisclosed sensitive information.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
local
low complexity
f5 CWE-532
4.4
2023-08-02 CVE-2023-36858 Unspecified vulnerability in F5 products
An insufficient verification of data vulnerability exists in BIG-IP Edge Client for Windows and macOS that may allow an attacker to modify its configured server list.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
local
low complexity
f5
5.5
2023-08-02 CVE-2023-38138 Unspecified vulnerability in F5 products
A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility which allows an attacker to run JavaScript in the context of the currently logged-in user.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
low complexity
f5
6.1
2023-08-02 CVE-2023-38423 Unspecified vulnerability in F5 products
A cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
low complexity
f5
5.4