Details of VAR-201902-0143

ID

VAR-201902-0143

CVE

CVE-2019-6595

TITLE

F5 BIG-IP Access Policy Manager Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2019-002027

DESCRIPTION

Cross-site scripting (XSS) vulnerability in F5 BIG-IP Access Policy Manager (APM) 11.5.x and 11.6.x Admin Web UI. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. F5 BIG-IP APM versions 4.6.0 and 11.5.1 through 11.6.3 are vulnerable

Trust: 1.98

sources: NVD: CVE-2019-6595 // JVNDB: JVNDB-2019-002027 // BID: 107173 // VULHUB: VHN-158030

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	11.6.3	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	11.5.x	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	11.6.x	Trust: 0.8
vendor:	f5	model:	big-iq centralized management	scope:	eq	version:	4.6	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.6.3	Trust: 0.3
vendor:	f5	model:	big-ip apm hf1	scope:	eq	version:	11.6.2	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.6.2	Trust: 0.3
vendor:	f5	model:	big-ip apm hf2	scope:	eq	version:	11.6.1	Trust: 0.3
vendor:	f5	model:	big-ip apm hf1	scope:	eq	version:	11.6.1	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.6.1	Trust: 0.3
vendor:	f5	model:	big-ip apm hf8	scope:	eq	version:	11.6	Trust: 0.3
vendor:	f5	model:	big-ip apm hf7	scope:	eq	version:	11.6	Trust: 0.3
vendor:	f5	model:	big-ip apm hf6	scope:	eq	version:	11.6	Trust: 0.3
vendor:	f5	model:	big-ip apm hf5	scope:	eq	version:	11.6	Trust: 0.3
vendor:	f5	model:	big-ip apm hf4	scope:	eq	version:	11.6	Trust: 0.3
vendor:	f5	model:	big-ip apm hf3	scope:	eq	version:	11.6	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.5.7	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.5.6	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.5.5	Trust: 0.3
vendor:	f5	model:	big-ip apm hf3	scope:	eq	version:	11.5.4	Trust: 0.3
vendor:	f5	model:	big-ip apm hf2	scope:	eq	version:	11.5.4	Trust: 0.3
vendor:	f5	model:	big-ip apm hf1	scope:	eq	version:	11.5.4	Trust: 0.3
vendor:	f5	model:	big-ip apm hf2	scope:	eq	version:	11.5.3	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.5.3	Trust: 0.3
vendor:	f5	model:	big-ip apm hf1	scope:	eq	version:	11.5.2	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.5.2	Trust: 0.3
vendor:	f5	model:	big-ip apm hf11	scope:	eq	version:	11.5.1	Trust: 0.3
vendor:	f5	model:	big-ip apm hf10	scope:	eq	version:	11.5.1	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.5.1	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.6.0	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.5.4	Trust: 0.3
vendor:	f5	model:	big-ip apm hf1	scope:	eq	version:	11.5.3	Trust: 0.3
vendor:	f5	model:	big-ip apm hf6	scope:	eq	version:	11.5.1	Trust: 0.3

sources: BID: 107173 // JVNDB: JVNDB-2019-002027 // NVD: CVE-2019-6595

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-6595
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-6595
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201902-939
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-158030
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-6595
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-158030
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-6595
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-158030 // JVNDB: JVNDB-2019-002027 // CNNVD: CNNVD-201902-939 // NVD: CVE-2019-6595

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-158030 // JVNDB: JVNDB-2019-002027 // NVD: CVE-2019-6595

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201902-939

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201902-939

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-002027

PATCH

title:

K31424926

url:

https://support.f5.com/csp/article/K31424926

Trust: 0.8

sources: JVNDB: JVNDB-2019-002027

EXTERNAL IDS

db:	NVD	id:	CVE-2019-6595	Trust: 2.8
db:	BID	id:	107173	Trust: 2.0
db:	JVNDB	id:	JVNDB-2019-002027	Trust: 0.8
db:	AUSCERT	id:	ESB-2019.0582	Trust: 0.6
db:	CNNVD	id:	CNNVD-201902-939	Trust: 0.6
db:	VULHUB	id:	VHN-158030	Trust: 0.1

sources: VULHUB: VHN-158030 // BID: 107173 // JVNDB: JVNDB-2019-002027 // CNNVD: CNNVD-201902-939 // NVD: CVE-2019-6595

REFERENCES

url:	https://support.f5.com/csp/article/k31424926	Trust: 2.0
url:	http://www.securityfocus.com/bid/107173	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-6595	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6595	Trust: 0.8
url:	https://support.f5.com/csp/article/k31424926vendor advisory	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/76078	Trust: 0.6
url:	https://vigilance.fr/vulnerability/f5-big-ip-apm-cross-site-scripting-via-admin-web-ui-28605	Trust: 0.6
url:	http://www.f5.com/	Trust: 0.3

sources: VULHUB: VHN-158030 // BID: 107173 // JVNDB: JVNDB-2019-002027 // CNNVD: CNNVD-201902-939 // NVD: CVE-2019-6595

CREDITS

The vendor reported this issue.

Trust: 0.9

sources: BID: 107173 // CNNVD: CNNVD-201902-939

SOURCES

db:	VULHUB	id:	VHN-158030
db:	BID	id:	107173
db:	JVNDB	id:	JVNDB-2019-002027
db:	CNNVD	id:	CNNVD-201902-939
db:	NVD	id:	CVE-2019-6595

LAST UPDATE DATE

2024-11-23T22:37:55.404000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-158030	date:	2019-02-27T00:00:00
db:	BID	id:	107173	date:	2019-02-26T00:00:00
db:	JVNDB	id:	JVNDB-2019-002027	date:	2019-04-01T00:00:00
db:	CNNVD	id:	CNNVD-201902-939	date:	2019-02-28T00:00:00
db:	NVD	id:	CVE-2019-6595	date:	2024-11-21T04:46:46.300

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-158030	date:	2019-02-26T00:00:00
db:	BID	id:	107173	date:	2019-02-26T00:00:00
db:	JVNDB	id:	JVNDB-2019-002027	date:	2019-04-01T00:00:00
db:	CNNVD	id:	CNNVD-201902-939	date:	2019-02-26T00:00:00
db:	NVD	id:	CVE-2019-6595	date:	2019-02-26T15:29:00.370