TMUI XSS vulnerability CVE-2021-23027


A DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. ([CVE-2021-23027](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23027>)) Impact An attacker may exploit this vulnerability by causing an authenticated user to submit malicious HTML or JavaScript code in the BIG-IP Configuration utility. If successful, an attacker can run JavaScript in the context of the currently logged-in user. In the case of an administrative user with access to the Advanced Shell (**bash**), an attacker can leverage successful exploitation of this vulnerability to compromise the BIG-IP system.

Affected Software

CPE Name Name Version
big-iq centralized management 8.1.0
big-ip afm 16.0.1
big-ip analytics 16.0.1
big-ip apm 16.0.1
big-ip asm 16.0.1
big-ip dns 16.0.1
big-ip fps 16.0.1
big-ip gtm 16.0.1
big-ip link controller 16.0.1
big-ip ltm 16.0.1
big-ip pem 16.0.1
big-ip aam 16.0.1
f5os 1.1.3
traffix sdc 5.2.0
f5 ssl orchestrator 16.0.1
f5 ddos hybrid defender 16.1.0