Lucene search

F5F5:K000132726

HistoryMay 03, 2023 - 12:00 a.m.

K000132726 : BIG-IP Configuration utility XSS vulnerability CVE-2023-27378

2023-05-0300:00:00

my.f5.com

reflected cross-site scripting

big-ip configuration

authenticated user

web browser

administrative user

advanced shell

control plane

AI Score

5.7

Confidence

High

EPSS

0.001

Percentile

18.2%

JSON

Security Advisory Description

Multiple reflected cross-site scripting (XSS) vulnerabilities exist in undisclosed pages of the BIG-IP Configuration utility that allow an attacker to run JavaScript in the context of the currently logged-in user. (CVE-2023-27378)

Impact

An attacker may exploit this vulnerability by causing an authenticated user to send a crafted URL that is then reflected back and run by the user’s web browser. If successful, an attacker can run JavaScript in the context of the currently logged-in user. In the case of an administrative user with access to the Advanced Shell (bash), an attacker can leverage successful exploitation of this vulnerability to compromise the BIG-IP system. This is a control plane issue; there is no data plane exposure.