Details of VAR-202008-0943

ID

VAR-202008-0943

CVE

CVE-2020-5927

TITLE

BIG-IP ASM Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-010304

DESCRIPTION

In versions 15.1.0-15.1.0.4, 15.0.0-15.0.1.3, and 14.1.0-14.1.2.6, BIG-IP ASM Configuration utility Stored-Cross Site Scripting. F5 BIG-IP AFM is an advanced firewall device. The F5 BIG-IP AFM configuration tool has a cross-site scripting vulnerability. Remote attackers can use this vulnerability to inject malicious scripts or HTML code. When malicious data is viewed, they can obtain sensitive information or hijack user sessions. BIG-IP versions between 15.1.0 and 15.1.0.4, versions between 15.0.0 and 15.0.1.3, and versions between 14.1.0 and 14.1.2.26 have XSS vulnerabilities. Correct validation of terminal data. An attacker could exploit this vulnerability to execute client code

Trust: 2.25

sources: NVD: CVE-2020-5927 // JVNDB: JVNDB-2020-010304 // CNVD: CNVD-2020-50518 // VULHUB: VHN-184052

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-50518

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	15.0.1.4	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	15.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	14.1.2.7	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	15.1.0.5	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	14.1.0 から 14.1.2.6	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	15.0.0 から 15.0.1.3	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	15.1.0 から 15.1.0.4	Trust: 0.8
vendor:	f5	model:	big-ip	scope:	gte	version:	15.1.0,<=15.1.0.4	Trust: 0.6
vendor:	f5	model:	big-ip	scope:	gte	version:	15.0.0,<=15.0.1.3	Trust: 0.6
vendor:	f5	model:	big-ip	scope:	gte	version:	14.1.0,<=14.1.2.26	Trust: 0.6

sources: CNVD: CNVD-2020-50518 // JVNDB: JVNDB-2020-010304 // NVD: CVE-2020-5927

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-5927
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2020-010304
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2020-50518
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202008-1224
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-184052
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-5927
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-010304
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-50518
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-184052
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-5927
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-010304
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-50518 // VULHUB: VHN-184052 // JVNDB: JVNDB-2020-010304 // CNNVD: CNNVD-202008-1224 // NVD: CVE-2020-5927

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-184052 // JVNDB: JVNDB-2020-010304 // NVD: CVE-2020-5927

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202008-1224

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202008-1224

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-010304

PATCH

title:	K55873574	url:	https://support.f5.com/csp/article/K55873574	Trust: 0.8
title:	Patch for F5 BIG-IP AFM configuration tool cross-site scripting vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/233005	Trust: 0.6
title:	BIG-IP Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=127492	Trust: 0.6

sources: CNVD: CNVD-2020-50518 // JVNDB: JVNDB-2020-010304 // CNNVD: CNNVD-202008-1224

EXTERNAL IDS

db:	NVD	id:	CVE-2020-5927	Trust: 3.1
db:	JVNDB	id:	JVNDB-2020-010304	Trust: 0.8
db:	CNVD	id:	CNVD-2020-50518	Trust: 0.7
db:	CNNVD	id:	CNNVD-202008-1224	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.2921	Trust: 0.6
db:	VULHUB	id:	VHN-184052	Trust: 0.1

sources: CNVD: CNVD-2020-50518 // VULHUB: VHN-184052 // JVNDB: JVNDB-2020-010304 // CNNVD: CNNVD-202008-1224 // NVD: CVE-2020-5927

REFERENCES

url:	https://support.f5.com/csp/article/k55873574	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-5927	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5927	Trust: 0.8
url:	https://support.f5.com/csp/article/k25160703	Trust: 0.6
url:	https://vigilance.fr/vulnerability/f5-big-ip-asm-cross-site-scripting-via-configuration-utility-33161	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.2921/	Trust: 0.6

sources: CNVD: CNVD-2020-50518 // VULHUB: VHN-184052 // JVNDB: JVNDB-2020-010304 // CNNVD: CNNVD-202008-1224 // NVD: CVE-2020-5927

SOURCES

db:	CNVD	id:	CNVD-2020-50518
db:	VULHUB	id:	VHN-184052
db:	JVNDB	id:	JVNDB-2020-010304
db:	CNNVD	id:	CNNVD-202008-1224
db:	NVD	id:	CVE-2020-5927

LAST UPDATE DATE

2024-11-23T23:01:19.183000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-50518	date:	2020-09-05T00:00:00
db:	VULHUB	id:	VHN-184052	date:	2020-09-02T00:00:00
db:	JVNDB	id:	JVNDB-2020-010304	date:	2021-01-06T05:44:20
db:	CNNVD	id:	CNNVD-202008-1224	date:	2020-10-22T00:00:00
db:	NVD	id:	CVE-2020-5927	date:	2024-11-21T05:34:50.593

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-50518	date:	2020-09-04T00:00:00
db:	VULHUB	id:	VHN-184052	date:	2020-08-26T00:00:00
db:	JVNDB	id:	JVNDB-2020-010304	date:	2021-01-06T05:44:20
db:	CNNVD	id:	CNNVD-202008-1224	date:	2020-08-26T00:00:00
db:	NVD	id:	CVE-2020-5927	date:	2020-08-26T16:15:12.993