Lucene search
F5F5:K000138636HistoryMay 08, 2024 - 12:00 a.m.
K000138636 : BIG-IP Configuration utility XSS vulnerability CVE-2024-31156
2024-05-0800:00:00
my.f5.com
18
stored cross-site scripting
cve-2024-31156
authentication bypass
administrative user
control plane
Security Advisory Description
A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. (CVE-2024-31156)
Impact
An authenticated attacker may exploit this vulnerability by storing malicious HTML or JavaScript code in the BIG-IP Configuration utility. If successful, an attacker can run JavaScript in the context of the currently logged-in user. In the case of an administrative user with access to the Advanced Shell (bash), an attacker can leverage successful exploitation of this vulnerability to compromise the BIG-IP system. This is a control plane issue; there is no data plane exposure.
| Vendor | Product | Version | CPE |
|---|---|---|---|
| f5 | big\-ip_next | 20.0.1 | cpe:2.3:a:f5:big\-ip_next:20.0.1:*:*:*:*:*:*:* |
| f5 | big\-ip_next | 20.0.2 | cpe:2.3:a:f5:big\-ip_next:20.0.2:*:*:*:*:*:*:* |
| f5 | big\-ip_next | 20.1.0 | cpe:2.3:a:f5:big\-ip_next:20.1.0:*:*:*:*:*:*:* |
| f5 | big\-ip_next | 20.1.1 | cpe:2.3:a:f5:big\-ip_next:20.1.1:*:*:*:*:*:*:* |
| f5 | big\-ip_next | 20.2.0 | cpe:2.3:a:f5:big\-ip_next:20.2.0:*:*:*:*:*:*:* |
| f5 | big\-ip_next | 1.1.0 | cpe:2.3:a:f5:big\-ip_next:1.1.0:*:*:*:*:*:*:* |
| f5 | big\-ip_next | 1.1.1 | cpe:2.3:a:f5:big\-ip_next:1.1.1:*:*:*:*:*:*:* |
| f5 | big\-ip_next | 1.2.0 | cpe:2.3:a:f5:big\-ip_next:1.2.0:*:*:*:*:*:*:* |
| f5 | big\-ip_next | 1.2.1 | cpe:2.3:a:f5:big\-ip_next:1.2.1:*:*:*:*:*:*:* |
| f5 | big\-ip_next | 1.3.0 | cpe:2.3:a:f5:big\-ip_next:1.3.0:*:*:*:*:*:*:* |
Related
nvd
nvd
CVE-2024-31156
2024-05-08 15:15:09
cve
cve
CVE-2024-31156
2024-05-08 15:15:09
vulnrichment
vulnrichment
CVE-2024-31156 BIG-IP Configuration utility XSS vulnerability
2024-05-08 15:01:27
cvelist
cvelist
CVE-2024-31156 BIG-IP Configuration utility XSS vulnerability
2024-05-08 15:01:27
nessus
nessus
f5
f5
K000139404 : Quarterly Security Notification (May 2024)
2024-05-08 00:00:00