Details of VAR-202011-1453

ID

VAR-202011-1453

CVE

CVE-2020-5945

TITLE

BIG-IP Cross-site Scripting Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-013096

DESCRIPTION

In BIG-IP versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, and 14.1.0-14.1.2.7, undisclosed TMUI page contains a stored cross site scripting vulnerability (XSS). The issue allows a minor privilege escalation for resource admin to escalate to full admin. BIG-IP Contains a cross-site scripting vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. F5 TMUI has a cross-site scripting vulnerability, which originates from undocumented TMUI pages, and an authenticated malicious user with resource administrator privileges can exploit this vulnerability to escalate their role to full administrator privileges and execute system commands. The following products and versions are affected: BIG-IP 16.0.0, 15.0.0 to 15.1.0, 14.1.0 to 14.1.2

Trust: 1.71

sources: NVD: CVE-2020-5945 // JVNDB: JVNDB-2020-013096 // VULHUB: VHN-184070

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip application acceleration manager	scope:	lt	version:	14.1.2.8	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	16.0.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lt	version:	16.0.1	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lt	version:	14.1.2.8	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lt	version:	15.1.1	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lt	version:	14.1.2.8	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	16.0.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	16.0.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lt	version:	16.0.1	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lt	version:	15.1.1	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lt	version:	14.1.2.8	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	16.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	16.0.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	16.0.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	15.1.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	16.0.1	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	15.1.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	15.1.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	16.0.1	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	16.0.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	14.1.2.8	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	14.1.2.8	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	14.1.2.8	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	16.0.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lt	version:	15.1.1	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lt	version:	16.0.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	16.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	16.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lt	version:	14.1.2.8	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lt	version:	16.0.1	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lt	version:	15.1.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	16.0.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lt	version:	15.1.1	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lt	version:	16.0.1	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lt	version:	14.1.2.8	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lt	version:	15.1.1	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lt	version:	14.1.2.8	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	16.0.1	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	15.1.1	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lt	version:	16.0.1	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	16.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lt	version:	16.0.1	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lt	version:	15.1.1	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	14.1.2.8	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application acceleration manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip fraud protection service	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip link controller	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip domain name system	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip global traffic manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip advanced firewall manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip analytics	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-013096 // NVD: CVE-2020-5945

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-5945
value:	HIGH
Trust: 1.0
NVD:	CVE-2020-5945
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202011-162
value:	HIGH
Trust: 0.6
VULHUB:	VHN-184070
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2020-5945
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.8
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-184070
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.8
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-5945
baseSeverity:	HIGH
baseScore:	8.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.7
impactScore:	6.0
version:	3.1
Trust: 1.0
NVD:	CVE-2020-5945
baseSeverity:	HIGH
baseScore:	8.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-184070 // JVNDB: JVNDB-2020-013096 // CNNVD: CNNVD-202011-162 // NVD: CVE-2020-5945

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.1
problemtype:	Cross-site scripting (CWE-79) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-184070 // JVNDB: JVNDB-2020-013096 // NVD: CVE-2020-5945

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202011-162

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202011-162

PATCH

title:	K21540525	url:	https://support.f5.com/csp/article/K21540525	Trust: 0.8
title:	F5 BIG-IP Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=134017	Trust: 0.6

sources: JVNDB: JVNDB-2020-013096 // CNNVD: CNNVD-202011-162

EXTERNAL IDS

db:	NVD	id:	CVE-2020-5945	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-013096	Trust: 0.8
db:	CNNVD	id:	CNNVD-202011-162	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.3780	Trust: 0.6
db:	CNVD	id:	CNVD-2020-63628	Trust: 0.1
db:	VULHUB	id:	VHN-184070	Trust: 0.1

sources: VULHUB: VHN-184070 // JVNDB: JVNDB-2020-013096 // CNNVD: CNNVD-202011-162 // NVD: CVE-2020-5945

REFERENCES

url:	https://support.f5.com/csp/article/k21540525	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-5945	Trust: 1.4
url:	https://vigilance.fr/vulnerability/f5-big-ip-cross-site-scripting-via-tmui-33763	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.3780/	Trust: 0.6

sources: VULHUB: VHN-184070 // JVNDB: JVNDB-2020-013096 // CNNVD: CNNVD-202011-162 // NVD: CVE-2020-5945

SOURCES

db:	VULHUB	id:	VHN-184070
db:	JVNDB	id:	JVNDB-2020-013096
db:	CNNVD	id:	CNNVD-202011-162
db:	NVD	id:	CVE-2020-5945

LAST UPDATE DATE

2024-11-23T22:33:15.137000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-184070	date:	2020-11-13T00:00:00
db:	JVNDB	id:	JVNDB-2020-013096	date:	2021-06-18T05:33:00
db:	CNNVD	id:	CNNVD-202011-162	date:	2020-11-16T00:00:00
db:	NVD	id:	CVE-2020-5945	date:	2024-11-21T05:34:52.810

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-184070	date:	2020-11-05T00:00:00
db:	JVNDB	id:	JVNDB-2020-013096	date:	2021-06-18T00:00:00
db:	CNNVD	id:	CNNVD-202011-162	date:	2020-11-03T00:00:00
db:	NVD	id:	CVE-2020-5945	date:	2020-11-05T20:15:17.897