Details of VAR-201810-0911

ID

VAR-201810-0911

CVE

CVE-2018-15315

TITLE

F5 BIG-IP Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2018-011232

DESCRIPTION

On F5 BIG-IP 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, there is a reflected Cross Site Scripting (XSS) vulnerability in an undisclosed Configuration Utility page. F5 BIG-IP Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

Trust: 1.71

sources: NVD: CVE-2018-15315 // JVNDB: JVNDB-2018-011232 // VULHUB: VHN-125562

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	13.1.1.1	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	13.1.1.1	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	12.1.3.6	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	12.1.3.6	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	13.1.1.1	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	13.1.1.1	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lte	version:	13.1.1.1	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lte	version:	12.1.3.6	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	13.1.1.1	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	13.1.1.1	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lte	version:	12.1.3.6	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	12.1.3.6	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	13.1.1.1	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	12.1.3.6	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	12.1.3.6	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lte	version:	13.1.1.1	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	12.1.3.6	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	12.1.3.6	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lte	version:	13.1.1.1	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	13.1.1.1	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	13.1.1.1	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	12.1.3.6	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	13.1.1.1	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	12.1.3.6	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lte	version:	12.1.3.6	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	12.1.3.6	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip advanced firewall manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip analytics	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application acceleration manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip domain name system	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip edge gateway	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip fraud protection service	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip global traffic manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip link controller	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip local traffic manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip policy enforcement manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip webaccelerator	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip policy enforcement manager	scope:	eq	version:	13.1.1	Trust: 0.6
vendor:	f5	model:	big-ip webaccelerator	scope:	eq	version:	13.1.1	Trust: 0.6
vendor:	f5	model:	big-ip webaccelerator	scope:	eq	version:	12.1.1	Trust: 0.6
vendor:	f5	model:	big-ip webaccelerator	scope:	eq	version:	13.1.0	Trust: 0.6
vendor:	f5	model:	big-ip policy enforcement manager	scope:	eq	version:	13.1.0	Trust: 0.6
vendor:	f5	model:	big-ip webaccelerator	scope:	eq	version:	13.0.0	Trust: 0.6
vendor:	f5	model:	big-ip webaccelerator	scope:	eq	version:	12.1.0	Trust: 0.6
vendor:	f5	model:	big-ip webaccelerator	scope:	eq	version:	12.1.2	Trust: 0.6
vendor:	f5	model:	big-ip webaccelerator	scope:	eq	version:	12.1.3	Trust: 0.6
vendor:	f5	model:	big-ip webaccelerator	scope:	eq	version:	13.0.1	Trust: 0.6

sources: JVNDB: JVNDB-2018-011232 // CNNVD: CNNVD-201810-1093 // NVD: CVE-2018-15315

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-15315
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-15315
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201810-1093
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-125562
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-15315
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-125562
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-15315
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-125562 // JVNDB: JVNDB-2018-011232 // CNNVD: CNNVD-201810-1093 // NVD: CVE-2018-15315

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-125562 // JVNDB: JVNDB-2018-011232 // NVD: CVE-2018-15315

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201810-1093

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201810-1093

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-011232

PATCH

title:	K41704442	url:	https://support.f5.com/csp/article/K41704442	Trust: 0.8
title:	F5 BIG-IP Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86219	Trust: 0.6

sources: JVNDB: JVNDB-2018-011232 // CNNVD: CNNVD-201810-1093

EXTERNAL IDS

db:	NVD	id:	CVE-2018-15315	Trust: 2.5
db:	SECTRACK	id:	1041935	Trust: 1.1
db:	JVNDB	id:	JVNDB-2018-011232	Trust: 0.8
db:	CNNVD	id:	CNNVD-201810-1093	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.2408	Trust: 0.6
db:	VULHUB	id:	VHN-125562	Trust: 0.1

sources: VULHUB: VHN-125562 // JVNDB: JVNDB-2018-011232 // CNNVD: CNNVD-201810-1093 // NVD: CVE-2018-15315

REFERENCES

url:	https://support.f5.com/csp/article/k41704442	Trust: 1.1
url:	http://www.securitytracker.com/id/1041935	Trust: 1.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-15315	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-15315	Trust: 0.8
url:	https://support.f5.com/csp/article/k44885536	Trust: 0.6
url:	https://support.f5.com/csp/article/k20445457	Trust: 0.6
url:	https://support.f5.com/csp/article/k67825238	Trust: 0.6
url:	https://support.f5.com/csp/article/k79902360	Trust: 0.6
url:	https://support.f5.com/csp/article/k20541896	Trust: 0.6
url:	https://support.f5.com/csp/article/k22384173	Trust: 0.6
url:	https://support.f5.com/csp/article/k29149494	Trust: 0.6
url:	https://support.f5.com/csp/article/k68151373	Trust: 0.6
url:	https://support.f5.com/csp/article/k00432398	Trust: 0.6
url:	https://support.f5.com/csp/article/k64855220	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.2408/	Trust: 0.6

sources: VULHUB: VHN-125562 // JVNDB: JVNDB-2018-011232 // CNNVD: CNNVD-201810-1093 // NVD: CVE-2018-15315

SOURCES

db:	VULHUB	id:	VHN-125562
db:	JVNDB	id:	JVNDB-2018-011232
db:	CNNVD	id:	CNNVD-201810-1093
db:	NVD	id:	CVE-2018-15315

LAST UPDATE DATE

2024-11-23T21:38:13.041000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-125562	date:	2018-12-04T00:00:00
db:	JVNDB	id:	JVNDB-2018-011232	date:	2019-01-09T00:00:00
db:	CNNVD	id:	CNNVD-201810-1093	date:	2020-07-07T00:00:00
db:	NVD	id:	CVE-2018-15315	date:	2024-11-21T03:50:32.547

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-125562	date:	2018-10-19T00:00:00
db:	JVNDB	id:	JVNDB-2018-011232	date:	2019-01-09T00:00:00
db:	CNNVD	id:	CNNVD-201810-1093	date:	2018-10-22T00:00:00
db:	NVD	id:	CVE-2018-15315	date:	2018-10-19T13:29:00.493