Positive TechnologiesPT-2020-05PT-2020-05: Cross-site scripting (XSS) in F5 Traffic Management User Interface (TMUI)
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
43.1%
PT-2020-05: Cross-site scripting (XSS) in F5 Traffic Management User Interface (TMUI)
F5 Traffic Management User Interface (TMUI)
Severity:
Severity level: High
Impact: Cross-site scripting (XSS) in F5 Traffic Management User Interface (TMUI)
Access Vector: Remote
CVSS v3.1: Base 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE: CVE-2020-5903
Vulnerability description:
The vulnerability allows remote attackers to execute malicious JavaScript code in the context of the current user. If the logged-on user has administrative rights and Advanced Shell (bash) access, an attacker who successfully exploited the vulnerability could fully compromise the BIG-IP system.
Advisory status:
01.04.2020 - Vendor notification date
01.07.2020 - Security advisory publication date (<https://support.f5.com/csp/article/K43638305>)
Credits:
The vulnerability was discovered by Mikhail Klyuchnikov, Positive Technologies
Related
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
43.1%