Details of VAR-201810-0899

ID

VAR-201810-0899

CVE

CVE-2018-15313

TITLE

F5 BIG-IP AFM Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2018-011113

DESCRIPTION

On F5 BIG-IP AFM 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, there is a Reflected Cross Site Scripting vulnerability in undisclosed TMUI page. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. F5 BIG-IP AFM is an advanced firewall product used to protect against DDos attacks from F5 Corporation of the United States. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML

Trust: 1.98

sources: NVD: CVE-2018-15313 // JVNDB: JVNDB-2018-011113 // BID: 105733 // VULHUB: VHN-125560

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	12.1.3.6	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	13.1.1.1	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	12.1.0 to 12.1.3.6	Trust: 0.8
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	13.0.0 to 13.1.1.1	Trust: 0.8
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	13.1.0	Trust: 0.6
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	12.1.0	Trust: 0.6
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	13.0.0	Trust: 0.6
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	12.1.2	Trust: 0.6
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	12.1.3	Trust: 0.6
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	13.1.1	Trust: 0.6
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	13.0.1	Trust: 0.6
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	12.1.1	Trust: 0.6
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.1.1	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.1	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.0.1	Trust: 0.3
vendor:	f5	model:	big-ip afm hf3	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip afm hf2	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip afm hf1	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.3	Trust: 0.3
vendor:	f5	model:	big-ip afm hf2	scope:	eq	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip afm hf1	scope:	eq	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.1	Trust: 0.3
vendor:	f5	model:	big-ip afm hf2	scope:	eq	version:	12.1	Trust: 0.3
vendor:	f5	model:	big-ip afm hf1	scope:	eq	version:	12.1	Trust: 0.3
vendor:	f5	model:	big-ip afm hf4	scope:	eq	version:	12.0	Trust: 0.3
vendor:	f5	model:	big-ip afm build	scope:	eq	version:	12.01.14.628	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.0	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.1.0.6	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.1.0.5	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.3.6	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.3.2	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.0	Trust: 0.3
vendor:	f5	model:	big-ip afm hf3	scope:	eq	version:	12.0.0	Trust: 0.3
vendor:	f5	model:	big-ip afm hf2	scope:	eq	version:	12.0.0	Trust: 0.3
vendor:	f5	model:	big-ip afm hf1	scope:	eq	version:	12.0.0	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	ne	version:	14.0	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	ne	version:	13.1.1.2	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	ne	version:	12.1.3.7	Trust: 0.3

sources: BID: 105733 // JVNDB: JVNDB-2018-011113 // CNNVD: CNNVD-201810-1069 // NVD: CVE-2018-15313

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-15313
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-15313
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201810-1069
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-125560
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-15313
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-125560
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-15313
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-125560 // JVNDB: JVNDB-2018-011113 // CNNVD: CNNVD-201810-1069 // NVD: CVE-2018-15313

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-125560 // JVNDB: JVNDB-2018-011113 // NVD: CVE-2018-15313

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201810-1069

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201810-1069

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-011113

PATCH

title:	K21042153	url:	https://support.f5.com/csp/article/K21042153	Trust: 0.8
title:	F5 BIG-IP AFM Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86212	Trust: 0.6

sources: JVNDB: JVNDB-2018-011113 // CNNVD: CNNVD-201810-1069

EXTERNAL IDS

db:	NVD	id:	CVE-2018-15313	Trust: 2.8
db:	BID	id:	105733	Trust: 1.4
db:	SECTRACK	id:	1041934	Trust: 1.1
db:	JVNDB	id:	JVNDB-2018-011113	Trust: 0.8
db:	CNNVD	id:	CNNVD-201810-1069	Trust: 0.7
db:	AUSCERT	id:	ESB-2018.3186	Trust: 0.6
db:	VULHUB	id:	VHN-125560	Trust: 0.1

sources: VULHUB: VHN-125560 // BID: 105733 // JVNDB: JVNDB-2018-011113 // CNNVD: CNNVD-201810-1069 // NVD: CVE-2018-15313

REFERENCES

url:	https://support.f5.com/csp/article/k21042153	Trust: 2.0
url:	http://www.securityfocus.com/bid/105733	Trust: 1.1
url:	http://www.securitytracker.com/id/1041934	Trust: 1.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-15313	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-15313	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/70218	Trust: 0.6
url:	http://www.f5.com/	Trust: 0.3
url:	https://support.f5.com/csp/article/k04524282	Trust: 0.3

sources: VULHUB: VHN-125560 // BID: 105733 // JVNDB: JVNDB-2018-011113 // CNNVD: CNNVD-201810-1069 // NVD: CVE-2018-15313

CREDITS

The vendor reported these issues.

Trust: 0.3

sources: BID: 105733

SOURCES

db:	VULHUB	id:	VHN-125560
db:	BID	id:	105733
db:	JVNDB	id:	JVNDB-2018-011113
db:	CNNVD	id:	CNNVD-201810-1069
db:	NVD	id:	CVE-2018-15313

LAST UPDATE DATE

2024-11-23T22:00:16.227000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-125560	date:	2018-12-03T00:00:00
db:	BID	id:	105733	date:	2018-10-18T00:00:00
db:	JVNDB	id:	JVNDB-2018-011113	date:	2019-01-07T00:00:00
db:	CNNVD	id:	CNNVD-201810-1069	date:	2018-10-24T00:00:00
db:	NVD	id:	CVE-2018-15313	date:	2024-11-21T03:50:32.283

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-125560	date:	2018-10-19T00:00:00
db:	BID	id:	105733	date:	2018-10-18T00:00:00
db:	JVNDB	id:	JVNDB-2018-011113	date:	2019-01-07T00:00:00
db:	CNNVD	id:	CNNVD-201810-1069	date:	2018-10-22T00:00:00
db:	NVD	id:	CVE-2018-15313	date:	2018-10-19T13:29:00.320