K43520321 : NGINX Controller API Vulnerability CVE-2020-5901

2020-06-1100:00:00

my.f5.com

8.7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

57.2%

JSON

Security Advisory Description

Undisclosed API endpoints may allow for a reflected Cross Site Scripting (XSS) attack. If the victim user is logged in as admin this could result in a complete compromise of the system. (CVE-2020-5901)

Impact

For the attack to occur, a user must visit a specially crafted URL that includes the specific target host name. If the exploit is successful, an attacker can run JavaScript in the context of the currently logged-in user. If the user is logged in as an administrator, the attacker may be able to completely compromise of the system.

CPENameOperatorVersion
big-iq centralized managementeq5.3.0
big-iq centralized managementeq5.4.0
big-iq centralized managementeq6.0.0
big-iq centralized managementeq6.0.1
big-iq centralized managementeq6.1.0
big-iq centralized managementeq7.0.0
big-iq centralized managementeq7.1.0
big-ip afmeq11.6.1
big-ip afmeq11.6.2
big-ip afmeq11.6.3

Name	Operator	Version
big-iq centralized management	eq	5.3.0
big-iq centralized management	eq	5.4.0
big-iq centralized management	eq	6.0.0
big-iq centralized management	eq	6.0.1
big-iq centralized management	eq	6.1.0
big-iq centralized management	eq	7.0.0
big-iq centralized management	eq	7.1.0
big-ip afm	eq	11.6.1
big-ip afm	eq	11.6.2
big-ip afm	eq	11.6.3

Rows per page:

1-10 of 2051