Details of VAR-201907-0131

ID

VAR-201907-0131

CVE

CVE-2019-6626

TITLE

BIG-IP Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2019-006060

DESCRIPTION

On BIG-IP (AFM, Analytics, ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.3.4, A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface (TMUI), also known as the Configuration utility. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code. The following products and versions are affected: F5 BIG-IP AFM from version 14.1.0 to version 14.1.0.5, version 14.0.0 to version 14.0.0.4, version 13.0.0 to version 13.1.1.4, version 12.1.0 to version 12.1.4 Versions, 11.5.1 to 11.6.3.4; BIG-IP Analytics 14.1.0 to 14.1.0.5, 14.0.0 to 14.0.0.4, 13.0.0 to 13.1.1.4, 12.1.0 to version 12.1.4, version 11.5.1 to version 11.6.3.4; BIG-IP ASM version 14.1.0 to version 14.1.0.5, version 14.0.0 to version 14.0.0.4, version 13.0.0 to version 13.1.1.4, Version 12.1.0 to version 12.1.4, version 11.5.1 to version 11.6.3.4

Trust: 1.71

sources: NVD: CVE-2019-6626 // JVNDB: JVNDB-2019-006060 // VULHUB: VHN-158061

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	14.0.0.5	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	11.6.3	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	11.6.3	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	13.1.1.5	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	14.0.0.5	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lt	version:	14.1.0.6	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	13.1.1.5	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lt	version:	13.1.1.5	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lt	version:	14.0.0.5	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lt	version:	12.1.4.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	12.1.4.1	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	12.1.4.1	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	11.6.3	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	14.1.0.6	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	14.1.0.6	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip analytics	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2019-006060 // NVD: CVE-2019-6626

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-6626
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-6626
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201907-060
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-158061
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-6626
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-158061
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-6626
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-158061 // JVNDB: JVNDB-2019-006060 // CNNVD: CNNVD-201907-060 // NVD: CVE-2019-6626

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-158061 // JVNDB: JVNDB-2019-006060 // NVD: CVE-2019-6626

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201907-060

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201907-060

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-006060

PATCH

title:	K00432398	url:	https://support.f5.com/csp/article/K00432398	Trust: 0.8
title:	F5 BIG-IP Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=94296	Trust: 0.6

sources: JVNDB: JVNDB-2019-006060 // CNNVD: CNNVD-201907-060

EXTERNAL IDS

db:	NVD	id:	CVE-2019-6626	Trust: 2.5
db:	JVNDB	id:	JVNDB-2019-006060	Trust: 0.8
db:	CNNVD	id:	CNNVD-201907-060	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.2408	Trust: 0.6
db:	VULHUB	id:	VHN-158061	Trust: 0.1

sources: VULHUB: VHN-158061 // JVNDB: JVNDB-2019-006060 // CNNVD: CNNVD-201907-060 // NVD: CVE-2019-6626

REFERENCES

url:	https://support.f5.com/csp/article/k00432398	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-6626	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6626	Trust: 0.8
url:	https://support.f5.com/csp/article/k44885536	Trust: 0.6
url:	https://support.f5.com/csp/article/k20445457	Trust: 0.6
url:	https://support.f5.com/csp/article/k67825238	Trust: 0.6
url:	https://support.f5.com/csp/article/k79902360	Trust: 0.6
url:	https://support.f5.com/csp/article/k20541896	Trust: 0.6
url:	https://support.f5.com/csp/article/k22384173	Trust: 0.6
url:	https://support.f5.com/csp/article/k29149494	Trust: 0.6
url:	https://support.f5.com/csp/article/k68151373	Trust: 0.6
url:	https://support.f5.com/csp/article/k64855220	Trust: 0.6
url:	https://vigilance.fr/vulnerability/f5-big-ip-multiple-vulnerabilities-29665	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.2408/	Trust: 0.6

sources: VULHUB: VHN-158061 // JVNDB: JVNDB-2019-006060 // CNNVD: CNNVD-201907-060 // NVD: CVE-2019-6626

SOURCES

db:	VULHUB	id:	VHN-158061
db:	JVNDB	id:	JVNDB-2019-006060
db:	CNNVD	id:	CNNVD-201907-060
db:	NVD	id:	CVE-2019-6626

LAST UPDATE DATE

2024-11-23T21:38:12.985000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-158061	date:	2019-07-08T00:00:00
db:	JVNDB	id:	JVNDB-2019-006060	date:	2019-07-09T00:00:00
db:	CNNVD	id:	CNNVD-201907-060	date:	2019-07-09T00:00:00
db:	NVD	id:	CVE-2019-6626	date:	2024-11-21T04:46:50.110

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-158061	date:	2019-07-03T00:00:00
db:	JVNDB	id:	JVNDB-2019-006060	date:	2019-07-09T00:00:00
db:	CNNVD	id:	CNNVD-201907-060	date:	2019-07-02T00:00:00
db:	NVD	id:	CVE-2019-6626	date:	2019-07-03T18:15:10.630