Details of VAR-201907-0142

ID

VAR-201907-0142

CVE

CVE-2019-6636

TITLE

BIG-IP Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2019-006206

DESCRIPTION

On BIG-IP (AFM, ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.4, a stored cross-site scripting vulnerability in AFM feed list. In the worst case, an attacker can store a CSRF which results in code execution as the admin user. The level of user role which can perform this attack are resource administrator and administrator. BIG-IP (AFM , ASM) Contains a cross-site scripting vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Multiple F5 BIG-IP Products are prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input. Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code. The following products and versions are affected: F5 BIG-IP AFM from version 14.1.0 to version 14.1.0.5, version 14.0.0 to version 14.0.0.4, version 13.0.0 to version 13.1.1.4, version 12.1.0 to version 12.1.4 Version, 11.5.1 to 11.6.4

Trust: 1.98

sources: NVD: CVE-2019-6636 // JVNDB: JVNDB-2019-006206 // BID: 109108 // VULHUB: VHN-158071

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	12.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	12.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	14.0.0.5	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	13.1.1.5	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	14.0.0.5	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	13.1.1.5	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	12.1.4.1	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	12.1.4.1	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	14.1.0.6	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	14.1.0.6	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	11.5.1 to 11.6.4	Trust: 0.8
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	12.1.0 to 12.1.4	Trust: 0.8
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	13.0.0 to 13.1.1.4	Trust: 0.8
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	14.0.0 to 14.0.0.4	Trust: 0.8
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	14.1.0 to 14.1.0.5	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	11.5.1 to 11.6.4	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	12.1.0 to 12.1.4	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	13.0.0 to 13.1.1.4	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	14.0.0 to 14.0.0.4	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	14.1.0 to 14.1.0.5	Trust: 0.8
vendor:	f5	model:	big-ip asm	scope:	eq	version:	14.1	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	14.0	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	13.1	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	13.0.1	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	12.1.3	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	12.1.1	Trust: 0.3
vendor:	f5	model:	big-ip asm hf4	scope:	eq	version:	12.0	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	12.0	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.6.4	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.6.3	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.6.2	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.6.1	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.5.9	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.5.8	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.5.7	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.5.6	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.5.3	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.5.2	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.5.1	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	14.1.0.5	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	14.1.0.2	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	14.1.0.1	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	14.0.0.4	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	14.0.0.3	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	14.0.0.2	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	12.1.0	Trust: 0.3
vendor:	f5	model:	big-ip asm hf2	scope:	eq	version:	12.0.0	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.6.0	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.5.5	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.5.4	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	14.1	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	14.0	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.1	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.0.1	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.4	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.3	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.1	Trust: 0.3
vendor:	f5	model:	big-ip afm hf4	scope:	eq	version:	12.0	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.0	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	11.6.4	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	11.6.3	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	11.6.1	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	11.5.8	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	11.5.7	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	11.5.6	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	11.5.3	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	11.5.2	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	11.5.1	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	14.1.0.5	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	14.1.0.4	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	14.1.0.3	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	14.1.0.2	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	14.1.0.1	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	14.0.0.4	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	14.0.0.3	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.3.7	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.3.6	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.3.4	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.3.2	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.0	Trust: 0.3
vendor:	f5	model:	big-ip afm hf3	scope:	eq	version:	12.0.0	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	11.6.2	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	11.6.0	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	11.5.5	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	11.5.4	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	ne	version:	15.0	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	ne	version:	14.1.0.6	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	ne	version:	14.0.0.5	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	ne	version:	13.1.1.5	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	ne	version:	12.1.4.1	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	ne	version:	15.0	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	ne	version:	14.1.0.6	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	ne	version:	14.0.0.5	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	ne	version:	13.1.1.5	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	ne	version:	12.1.4.1	Trust: 0.3

sources: BID: 109108 // JVNDB: JVNDB-2019-006206 // NVD: CVE-2019-6636

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-6636
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-6636
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201907-048
value:	HIGH
Trust: 0.6
VULHUB:	VHN-158071
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-6636
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.8
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-158071
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.8
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-6636
baseSeverity:	HIGH
baseScore:	8.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.7
impactScore:	6.0
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-158071 // JVNDB: JVNDB-2019-006206 // CNNVD: CNNVD-201907-048 // NVD: CVE-2019-6636

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.9
problemtype:	CWE-352	Trust: 1.1

sources: VULHUB: VHN-158071 // JVNDB: JVNDB-2019-006206 // NVD: CVE-2019-6636

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201907-048

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201907-048

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-006206

PATCH

title:	K68151373	url:	https://support.f5.com/csp/article/K68151373	Trust: 0.8
title:	F5 BIG-IP Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=94284	Trust: 0.6

sources: JVNDB: JVNDB-2019-006206 // CNNVD: CNNVD-201907-048

EXTERNAL IDS

db:	NVD	id:	CVE-2019-6636	Trust: 2.8
db:	BID	id:	109108	Trust: 2.0
db:	JVNDB	id:	JVNDB-2019-006206	Trust: 0.8
db:	CNNVD	id:	CNNVD-201907-048	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.2408	Trust: 0.6
db:	VULHUB	id:	VHN-158071	Trust: 0.1

sources: VULHUB: VHN-158071 // BID: 109108 // JVNDB: JVNDB-2019-006206 // CNNVD: CNNVD-201907-048 // NVD: CVE-2019-6636

REFERENCES

url:	https://support.f5.com/csp/article/k68151373	Trust: 2.0
url:	http://www.securityfocus.com/bid/109108	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-6636	Trust: 1.4
url:	http://www.f5.com/	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6636	Trust: 0.8
url:	https://support.f5.com/csp/article/k44885536	Trust: 0.6
url:	https://support.f5.com/csp/article/k20445457	Trust: 0.6
url:	https://support.f5.com/csp/article/k67825238	Trust: 0.6
url:	https://support.f5.com/csp/article/k79902360	Trust: 0.6
url:	https://support.f5.com/csp/article/k20541896	Trust: 0.6
url:	https://support.f5.com/csp/article/k22384173	Trust: 0.6
url:	https://support.f5.com/csp/article/k29149494	Trust: 0.6
url:	https://support.f5.com/csp/article/k00432398	Trust: 0.6
url:	https://support.f5.com/csp/article/k64855220	Trust: 0.6
url:	https://vigilance.fr/vulnerability/f5-big-ip-multiple-vulnerabilities-29665	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.2408/	Trust: 0.6

sources: VULHUB: VHN-158071 // BID: 109108 // JVNDB: JVNDB-2019-006206 // CNNVD: CNNVD-201907-048 // NVD: CVE-2019-6636

CREDITS

Chaos Emmissary

Trust: 0.9

sources: BID: 109108 // CNNVD: CNNVD-201907-048

SOURCES

db:	VULHUB	id:	VHN-158071
db:	BID	id:	109108
db:	JVNDB	id:	JVNDB-2019-006206
db:	CNNVD	id:	CNNVD-201907-048
db:	NVD	id:	CVE-2019-6636

LAST UPDATE DATE

2024-11-23T21:38:13.067000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-158071	date:	2020-08-24T00:00:00
db:	BID	id:	109108	date:	2019-07-02T00:00:00
db:	JVNDB	id:	JVNDB-2019-006206	date:	2019-07-12T00:00:00
db:	CNNVD	id:	CNNVD-201907-048	date:	2020-10-28T00:00:00
db:	NVD	id:	CVE-2019-6636	date:	2024-11-21T04:46:51.323

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-158071	date:	2019-07-03T00:00:00
db:	BID	id:	109108	date:	2019-07-02T00:00:00
db:	JVNDB	id:	JVNDB-2019-006206	date:	2019-07-12T00:00:00
db:	CNNVD	id:	CNNVD-201907-048	date:	2019-07-02T00:00:00
db:	NVD	id:	CVE-2019-6636	date:	2019-07-03T19:15:13.160