Details of VAR-201911-0301

ID

VAR-201911-0301

CVE

CVE-2019-6657

TITLE

BIG-IP Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2019-011470

DESCRIPTION

On BIG-IP 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.2-11.6.5.1, a reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface (TMUI), also known as the BIG-IP Configuration utility. BIG-IP Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. Cross-site scripting vulnerabilities exist in F5 BIG-IP versions 13.1.0 to 13.1.3, 12.1.0 to 12.1.5, and 11.5.2 to 11.6.5. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

Trust: 1.71

sources: NVD: CVE-2019-6657 // JVNDB: JVNDB-2019-011470 // VULHUB: VHN-158092

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip advanced firewall manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip analytics	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application acceleration manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip domain name system	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip edge gateway	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip fraud protection service	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip global traffic manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip link controller	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip local traffic manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip local traffic manager	scope:	eq	version:	13.1.1.1	Trust: 0.6
vendor:	f5	model:	big-ip local traffic manager	scope:	eq	version:	13.1.1.4	Trust: 0.6
vendor:	f5	model:	big-ip local traffic manager	scope:	eq	version:	13.1.0.6	Trust: 0.6
vendor:	f5	model:	big-ip local traffic manager	scope:	eq	version:	13.1.1	Trust: 0.6
vendor:	f5	model:	big-ip local traffic manager	scope:	eq	version:	13.1.1.5	Trust: 0.6
vendor:	f5	model:	big-ip local traffic manager	scope:	eq	version:	13.1.2	Trust: 0.6
vendor:	f5	model:	big-ip local traffic manager	scope:	eq	version:	13.1.0.8	Trust: 0.6
vendor:	f5	model:	big-ip local traffic manager	scope:	eq	version:	13.1.0.7	Trust: 0.6
vendor:	f5	model:	big-ip local traffic manager	scope:	eq	version:	13.1.1.3	Trust: 0.6
vendor:	f5	model:	big-ip local traffic manager	scope:	eq	version:	13.1.0.5	Trust: 0.6

sources: JVNDB: JVNDB-2019-011470 // CNNVD: CNNVD-201911-002 // NVD: CVE-2019-6657

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-6657
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-6657
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201911-002
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-158092
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-6657
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-158092
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-6657
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2019-6657
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-158092 // JVNDB: JVNDB-2019-011470 // CNNVD: CNNVD-201911-002 // NVD: CVE-2019-6657

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-158092 // JVNDB: JVNDB-2019-011470 // NVD: CVE-2019-6657

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201911-002

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201911-002

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-011470

PATCH

title:	K22441651	url:	https://support.f5.com/csp/article/K22441651	Trust: 0.8
title:	F5 BIG-IP Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=101643	Trust: 0.6

sources: JVNDB: JVNDB-2019-011470 // CNNVD: CNNVD-201911-002

EXTERNAL IDS

db:	NVD	id:	CVE-2019-6657	Trust: 2.5
db:	JVNDB	id:	JVNDB-2019-011470	Trust: 0.8
db:	CNNVD	id:	CNNVD-201911-002	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.4058	Trust: 0.6
db:	VULHUB	id:	VHN-158092	Trust: 0.1

sources: VULHUB: VHN-158092 // JVNDB: JVNDB-2019-011470 // CNNVD: CNNVD-201911-002 // NVD: CVE-2019-6657

REFERENCES

url:	https://support.f5.com/csp/article/k22441651	Trust: 2.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-6657	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6657	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2019.4058/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/f5-big-ip-cross-site-scripting-via-tmui-30765	Trust: 0.6

sources: VULHUB: VHN-158092 // JVNDB: JVNDB-2019-011470 // CNNVD: CNNVD-201911-002 // NVD: CVE-2019-6657

SOURCES

db:	VULHUB	id:	VHN-158092
db:	JVNDB	id:	JVNDB-2019-011470
db:	CNNVD	id:	CNNVD-201911-002
db:	NVD	id:	CVE-2019-6657

LAST UPDATE DATE

2024-11-23T21:51:51.303000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-158092	date:	2019-11-05T00:00:00
db:	JVNDB	id:	JVNDB-2019-011470	date:	2019-11-08T00:00:00
db:	CNNVD	id:	CNNVD-201911-002	date:	2019-11-06T00:00:00
db:	NVD	id:	CVE-2019-6657	date:	2024-11-21T04:46:53.870

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-158092	date:	2019-11-01T00:00:00
db:	JVNDB	id:	JVNDB-2019-011470	date:	2019-11-08T00:00:00
db:	CNNVD	id:	CNNVD-201911-002	date:	2019-11-01T00:00:00
db:	NVD	id:	CVE-2019-6657	date:	2019-11-01T15:15:11.387