A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface (TMUI) also known as the BIG-IP Configuration utility. (CVE-2019-6589)
Impact
To perform the attack, a user must visit a specially crafted URL that includes the specific target host name. If the exploit is successful, an attacker can run JavaScript in the context of the currently logged-in user. In the case of an administrative user with Advanced Shell (bash) access, successful exploitation of this vulnerability can be leveraged to completely compromise the BIG-IP system through Remote Code Execution.