Details of VAR-201810-0910

ID

VAR-201810-0910

CVE

CVE-2018-15314

TITLE

F5 BIG-IP AFM Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2018-011231

DESCRIPTION

On F5 BIG-IP AFM 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, there is a Reflected Cross Site Scripting vulnerability in undisclosed TMUI page. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. F5 BIG-IP AFM is an advanced firewall product used to protect against DDos attacks from F5 Corporation of the United States. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML

Trust: 1.98

sources: NVD: CVE-2018-15314 // JVNDB: JVNDB-2018-011231 // BID: 105733 // VULHUB: VHN-125561

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	12.1.3.6	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	13.1.1.1	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	12.1.0 to 12.1.3.6	Trust: 0.8
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	13.0.0 to 13.1.1.1	Trust: 0.8
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	13.1.0	Trust: 0.6
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	12.1.0	Trust: 0.6
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	13.0.0	Trust: 0.6
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	12.1.2	Trust: 0.6
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	12.1.3	Trust: 0.6
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	13.1.1	Trust: 0.6
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	13.0.1	Trust: 0.6
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	12.1.1	Trust: 0.6
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.1.1	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.1	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.0.1	Trust: 0.3
vendor:	f5	model:	big-ip afm hf3	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip afm hf2	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip afm hf1	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.3	Trust: 0.3
vendor:	f5	model:	big-ip afm hf2	scope:	eq	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip afm hf1	scope:	eq	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.1	Trust: 0.3
vendor:	f5	model:	big-ip afm hf2	scope:	eq	version:	12.1	Trust: 0.3
vendor:	f5	model:	big-ip afm hf1	scope:	eq	version:	12.1	Trust: 0.3
vendor:	f5	model:	big-ip afm hf4	scope:	eq	version:	12.0	Trust: 0.3
vendor:	f5	model:	big-ip afm build	scope:	eq	version:	12.01.14.628	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.0	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.1.0.6	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.1.0.5	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.3.6	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.3.2	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.0	Trust: 0.3
vendor:	f5	model:	big-ip afm hf3	scope:	eq	version:	12.0.0	Trust: 0.3
vendor:	f5	model:	big-ip afm hf2	scope:	eq	version:	12.0.0	Trust: 0.3
vendor:	f5	model:	big-ip afm hf1	scope:	eq	version:	12.0.0	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	ne	version:	14.0	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	ne	version:	13.1.1.2	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	ne	version:	12.1.3.7	Trust: 0.3

sources: BID: 105733 // JVNDB: JVNDB-2018-011231 // CNNVD: CNNVD-201810-1070 // NVD: CVE-2018-15314

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-15314
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-15314
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201810-1070
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-125561
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-15314
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-125561
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-15314
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-125561 // JVNDB: JVNDB-2018-011231 // CNNVD: CNNVD-201810-1070 // NVD: CVE-2018-15314

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-125561 // JVNDB: JVNDB-2018-011231 // NVD: CVE-2018-15314

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201810-1070

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201810-1070

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-011231

PATCH

title:	K04524282	url:	https://support.f5.com/csp/article/K04524282	Trust: 0.8
title:	F5 BIG-IP AFM Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86211	Trust: 0.6

sources: JVNDB: JVNDB-2018-011231 // CNNVD: CNNVD-201810-1070

EXTERNAL IDS

db:	NVD	id:	CVE-2018-15314	Trust: 2.8
db:	BID	id:	105733	Trust: 1.4
db:	SECTRACK	id:	1041933	Trust: 1.1
db:	JVNDB	id:	JVNDB-2018-011231	Trust: 0.8
db:	CNNVD	id:	CNNVD-201810-1070	Trust: 0.7
db:	AUSCERT	id:	ESB-2018.3186	Trust: 0.6
db:	VULHUB	id:	VHN-125561	Trust: 0.1

sources: VULHUB: VHN-125561 // BID: 105733 // JVNDB: JVNDB-2018-011231 // CNNVD: CNNVD-201810-1070 // NVD: CVE-2018-15314

REFERENCES

url:	https://support.f5.com/csp/article/k04524282	Trust: 2.0
url:	http://www.securityfocus.com/bid/105733	Trust: 1.1
url:	http://www.securitytracker.com/id/1041933	Trust: 1.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-15314	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-15314	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/70218	Trust: 0.6
url:	http://www.f5.com/	Trust: 0.3
url:	https://support.f5.com/csp/article/k21042153	Trust: 0.3

sources: VULHUB: VHN-125561 // BID: 105733 // JVNDB: JVNDB-2018-011231 // CNNVD: CNNVD-201810-1070 // NVD: CVE-2018-15314

CREDITS

The vendor reported these issues.

Trust: 0.3

sources: BID: 105733

SOURCES

db:	VULHUB	id:	VHN-125561
db:	BID	id:	105733
db:	JVNDB	id:	JVNDB-2018-011231
db:	CNNVD	id:	CNNVD-201810-1070
db:	NVD	id:	CVE-2018-15314

LAST UPDATE DATE

2024-11-23T22:00:16.257000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-125561	date:	2018-12-04T00:00:00
db:	BID	id:	105733	date:	2018-10-18T00:00:00
db:	JVNDB	id:	JVNDB-2018-011231	date:	2019-01-09T00:00:00
db:	CNNVD	id:	CNNVD-201810-1070	date:	2018-10-24T00:00:00
db:	NVD	id:	CVE-2018-15314	date:	2024-11-21T03:50:32.420

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-125561	date:	2018-10-19T00:00:00
db:	BID	id:	105733	date:	2018-10-18T00:00:00
db:	JVNDB	id:	JVNDB-2018-011231	date:	2019-01-09T00:00:00
db:	CNNVD	id:	CNNVD-201810-1070	date:	2018-10-22T00:00:00
db:	NVD	id:	CVE-2018-15314	date:	2018-10-19T13:29:00.417