Sign-up

ID

VAR-202109-0775


CVE

CVE-2021-23054


TITLE

BIG-IP APM  Cross-site scripting vulnerability in system

Trust: 0.8

sources: JVNDB: JVNDB-2021-012627

DESCRIPTION

On version 16.x before 16.1.0, 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x, a reflected cross-site scripting (XSS) vulnerability exists in the resource information page for authenticated users when a full webtop is configured on the BIG-IP APM system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. BIG-IP APM Your system has a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. F5 BIG-IP APM is a set of access and security solutions from F5 Corporation of the United States. The product provides unified access to business-critical applications and networks. There is a security vulnerability in the BIG-IP APM system that allows an attacker to create a malicious URL and send it to authenticated users in order to launch an XSS attack

Trust: 2.34

sources: NVD: CVE-2021-23054 // JVNDB: JVNDB-2021-012627 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-381540 // VULMON: CVE-2021-23054

AFFECTED PRODUCTS

vendor:f5model:big-ip access policy managerscope:lteversion:12.1.6

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:16.0.1

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:lteversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:14.1.4.4

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:lteversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:15.1.4

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:eqversion: -

Trust: 0.8

vendor:f5model:big-ip access policy managerscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-012627 // NVD: CVE-2021-23054

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-23054
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-23054
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202109-1660
value: MEDIUM

Trust: 0.6

VULHUB: VHN-381540
value: MEDIUM

Trust: 0.1

VULMON: CVE-2021-23054
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-23054
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-381540
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-23054
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: CVE-2021-23054
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-381540 // VULMON: CVE-2021-23054 // JVNDB: JVNDB-2021-012627 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202109-1660 // NVD: CVE-2021-23054

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.1

problemtype:Cross-site scripting (CWE-79) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-381540 // JVNDB: JVNDB-2021-012627 // NVD: CVE-2021-23054

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202109-1660

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:K41997459url:https://support.f5.com/csp/article/K41997459

Trust: 0.8

title:F5 BIG-IP APM Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=164208

Trust: 0.6

sources: JVNDB: JVNDB-2021-012627 // CNNVD: CNNVD-202109-1660

EXTERNAL IDS

db:NVDid:CVE-2021-23054

Trust: 3.4

db:JVNDBid:JVNDB-2021-012627

Trust: 0.8

db:CNNVDid:CNNVD-202109-1660

Trust: 0.7

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:CS-HELPid:SB2021092806

Trust: 0.6

db:AUSCERTid:ESB-2021.3202

Trust: 0.6

db:VULHUBid:VHN-381540

Trust: 0.1

db:VULMONid:CVE-2021-23054

Trust: 0.1

sources: VULHUB: VHN-381540 // VULMON: CVE-2021-23054 // JVNDB: JVNDB-2021-012627 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202109-1660 // NVD: CVE-2021-23054

REFERENCES

url:https://support.f5.com/csp/article/k41997459

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2021-23054

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://vigilance.fr/vulnerability/f5-big-ip-apm-cross-site-scripting-via-resource-information-page-36526

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.3202

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021092806

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/79.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-381540 // VULMON: CVE-2021-23054 // JVNDB: JVNDB-2021-012627 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202109-1660 // NVD: CVE-2021-23054

SOURCES

db:VULHUBid:VHN-381540
db:VULMONid:CVE-2021-23054
db:JVNDBid:JVNDB-2021-012627
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202109-1660
db:NVDid:CVE-2021-23054

LAST UPDATE DATE

2024-08-14T12:42:48.878000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-381540date:2021-10-04T00:00:00
db:VULMONid:CVE-2021-23054date:2021-10-04T00:00:00
db:JVNDBid:JVNDB-2021-012627date:2022-09-05T02:04:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202109-1660date:2021-10-08T00:00:00
db:NVDid:CVE-2021-23054date:2021-10-04T18:07:19.963

SOURCES RELEASE DATE

db:VULHUBid:VHN-381540date:2021-09-27T00:00:00
db:VULMONid:CVE-2021-23054date:2021-09-27T00:00:00
db:JVNDBid:JVNDB-2021-012627date:2022-09-05T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202109-1660date:2021-09-24T00:00:00
db:NVDid:CVE-2021-23054date:2021-09-27T11:15:07.527