Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
f5F5SOL8280
HistoryJan 16, 2008 - 12:00 a.m.

SOL8280 - Cross-site scripting vulnerabilities in BIG-IP Configuration utility CVE-2008-0265

2008-01-1600:00:00
support.f5.com
28

EPSS

0.004

Percentile

74.6%

JSON

The vulnerability is only available to authenticated users. Theoretically, a malicious site could use another tab in an admin user’s browser to hit a list URL and cause the admin user’s Configuration utility to render malicious JavaScript in the admin user’s browser. The results are not saved beyond the user’s browser.

For more Information, refer to the following two locations:

F5 Product Development tracked this issue as CR113089 and CR90703 and it was fixed in BIG-IP 10.0.0 and Enterprise Manager 1.6.0. For information about upgrading, refer to the BIG-IP LTM, GTM, Link Controller, ASM, WebAccelerator, or Enterprise Manager release notes.

F5 Product Development also tracked this issue as CR90703 and it was fixed for Firefox browser clients in BIG-IP 9.4.4. However, the Internet Explorer browser was still vulnerable. For information about upgrading, refer to the BIG-IP LTM, GTM, Link Controller, ASM, or WebAccelerator release notes.

Additionally, this issue was fixed for Firefox browser clients in Hotfix-BIG-IP-9.3.1-HF-2 issued for BIG-IP 9.3.1. You may download this hotfix or later versions of the hotfix from the F5 Downloads site.

To view a list of the latest available hotfixes, refer to SOL9502: BIG-IP hotfix matrix.

For information about the F5 hotfix policy, refer to SOL4918: Overview of F5 critical issue hotfix policy.

For information about managing F5 product hotfixes, refer to SOL6845: Managing F5 product hotfixes.

Workaround

To prevent a malicious site from executing this vulnerability, refrain from using a browser for more than one website when using the BIG-IP Configuration utility. Also, ensure that you close the browser after completing BIG-IP administration tasks.Â

Acknowledgements

F5 would like to acknowledge Marcin Kozlowski for his efforts in identifying this issue, and providing F5 with the initial external notification.

Related

cvelist 1
prion 1
cve 1
f5 1
exploitdb 1
nessus 2
nvd 1
cvelist
cvelist
CVE-2008-0265
2008-01-15 19:00:00
prion
prion
Cross site scripting
2008-01-15 20:00:00
cve
cve
CVE-2008-0265
2008-01-15 20:00:00
f5
f5
K8280 : Cross-site scripting vulnerabilities in BIG-IP Configuration utility CVE-2008-0265
2013-03-19 00:00:00
exploitdb
exploitdb
F5 BIG-IP 9.4.3 - 'SearchString' Multiple Cross-Site Scripting Vulnerabilities
2008-01-14 00:00:00
nessus
nessus
F5 Networks BIG-IP : XSS vulnerabilities in BIG-IP Configuration utility (SOL8280)
2014-10-10 00:00:00
F5 BIG-IP Web Management Multiple XSS
2008-02-11 00:00:00
nvd
nvd
CVE-2008-0265
2008-01-15 20:00:00

EPSS

0.004

Percentile

74.6%

JSON
Related for SOL8280
cvelist1prion1cve1f51exploitdb1nessus2nvd1