Details of VAR-201310-0379

ID

VAR-201310-0379

CVE

CVE-2013-5976

TITLE

F5 BIG-IP APM Access policy logout page cross-site scripting vulnerability

Trust: 1.4

sources: JVNDB: JVNDB-2013-004449 // CNNVD: CNNVD-201309-440

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the access policy logout page (logout.inc) in F5 BIG-IP APM 10.1.0 through 10.2.4 and 11.1.0 through 11.3.0 allows remote attackers to inject arbitrary web script or HTML via the LastMRH_Session cookie. F5 BIG-IP APM is prone to a cross-site scripting vulnerability because it fails to properly sanitize certain unspecified input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. F5 BIG-IP APM 10.1.0 through 10.2.4 and 11.1.0 through 11.3.0 are vulnerable. other versions may also be affected. F5 BIG-IP Access Policy Manager (APM) is a set of access and security solutions from F5 Corporation of the United States. The solution provides unified access to business-critical applications and networks

Trust: 1.98

sources: NVD: CVE-2013-5976 // JVNDB: JVNDB-2013-004449 // BID: 62596 // VULHUB: VHN-65978

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	11.0.0	Trust: 1.6
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	11.3.0	Trust: 1.6
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	11.1.0	Trust: 1.6
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	10.2.4	Trust: 1.6
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	10.1.0	Trust: 1.6
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	10.1.0 to 10.2.4	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	11.1.0 to 11.3.0	Trust: 0.8

sources: JVNDB: JVNDB-2013-004449 // CNNVD: CNNVD-201309-440 // NVD: CVE-2013-5976

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-5976
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2013-5976
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201309-440
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-65978
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2013-5976
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-65978
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-65978 // JVNDB: JVNDB-2013-004449 // CNNVD: CNNVD-201309-440 // NVD: CVE-2013-5976

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-65978 // JVNDB: JVNDB-2013-004449 // NVD: CVE-2013-5976

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201309-440

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201309-440

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-004449

PATCH

title:

SOL14712: The BIG-IP APM access policy logout page may be vulnerable to XSS cookie tampering

url:

http://support.f5.com/kb/en-us/solutions/public/14000/700/sol14712.html

Trust: 0.8

sources: JVNDB: JVNDB-2013-004449

EXTERNAL IDS

db:	NVD	id:	CVE-2013-5976	Trust: 2.8
db:	BID	id:	62596	Trust: 2.0
db:	SECUNIA	id:	54941	Trust: 1.7
db:	SECTRACK	id:	1029079	Trust: 1.1
db:	JVNDB	id:	JVNDB-2013-004449	Trust: 0.8
db:	CNNVD	id:	CNNVD-201309-440	Trust: 0.7
db:	VULHUB	id:	VHN-65978	Trust: 0.1

sources: VULHUB: VHN-65978 // BID: 62596 // JVNDB: JVNDB-2013-004449 // CNNVD: CNNVD-201309-440 // NVD: CVE-2013-5976

REFERENCES

url:	http://www.securityfocus.com/bid/62596	Trust: 1.7
url:	http://support.f5.com/kb/en-us/solutions/public/14000/700/sol14712.html	Trust: 1.7
url:	http://secunia.com/advisories/54941	Trust: 1.7
url:	http://www.securitytracker.com/id/1029079	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-5976	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-5976	Trust: 0.8

sources: VULHUB: VHN-65978 // JVNDB: JVNDB-2013-004449 // CNNVD: CNNVD-201309-440 // NVD: CVE-2013-5976

CREDITS

Tony Dimichele of BNP Paribas US

Trust: 0.9

sources: BID: 62596 // CNNVD: CNNVD-201309-440

SOURCES

db:	VULHUB	id:	VHN-65978
db:	BID	id:	62596
db:	JVNDB	id:	JVNDB-2013-004449
db:	CNNVD	id:	CNNVD-201309-440
db:	NVD	id:	CVE-2013-5976

LAST UPDATE DATE

2024-11-23T22:35:19.205000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-65978	date:	2013-10-31T00:00:00
db:	BID	id:	62596	date:	2015-03-19T09:05:00
db:	JVNDB	id:	JVNDB-2013-004449	date:	2013-10-04T00:00:00
db:	CNNVD	id:	CNNVD-201309-440	date:	2013-10-16T00:00:00
db:	NVD	id:	CVE-2013-5976	date:	2024-11-21T01:58:31.960

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-65978	date:	2013-10-01T00:00:00
db:	BID	id:	62596	date:	2013-09-19T00:00:00
db:	JVNDB	id:	JVNDB-2013-004449	date:	2013-10-04T00:00:00
db:	CNNVD	id:	CNNVD-201309-440	date:	2013-09-26T00:00:00
db:	NVD	id:	CVE-2013-5976	date:	2013-10-01T20:55:34.187