When remote authentication is enabled for administrative users and all external users are granted the “guest” role, unsanitized values can be reflected to the client via the login page. This can lead to a cross-site scripting attack against unauthenticated clients. (CVE-2019-6600)
Impact
BIG-IP
This vulnerability may lead to a cross-site scripting (XSS) attack against an unauthenticated client via the login Username field.
BIG-IQ, F5 iWorkflow, Enterprise Manager, and Traffix SDC
There is no impact for these F5 products; they are not affected by this vulnerability.