CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CNVD•added 2021/08/26 12:0 a.m.•32 views

F5 BIG-IP iControl SOAP CSRF Vulnerability

F5 BIG-IP is an application delivery platform from F5 that integrates network traffic orchestration, load balancing, intelligent DNS, remote access policy management, etc. A CSRF vulnerability exists in F5 BIG-IP iControl SOAP, which could be exploited by an attacker to potentially trick...

8.8CVSS4.9AI score0.00466EPSS

CNNVD•added 2021/08/24 12:0 a.m.•4 views

F5 BIG-IP 跨站请求伪造漏洞

8.8CVSS5.7AI score0.00466EPSS

Exploits0References4

Prion•added 2021/05/10 3:15 p.m.•26 views

Authentication flaw

On BIG-IP 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.0.8 through 13.1.3.6, and all versions of 16.0.x, when running in Appliance Mode, an authenticated user assigned the 'Administrator' role may be able to bypass Appliance Mode restrictions utilizing undisclosed iControl REST endpoints...

6.5CVSS6.8AI score0.01343EPSS

CVE•added 2021/05/10 2:40 p.m.•73 views

CVE-2021-23015

CVE-2021-23015 affects F5 BIG-IP when running in Appliance Mode. An authenticated user with the Administrator role may bypass Appliance Mode restrictions via undisclosed iControl REST endpoints. Impact is a control-plane bypass with no data-plane exposure; the vulnerability is mitigated by upgrad...

7.2CVSS7.4AI score0.01343EPSS

0day.today•added 2021/04/02 12:0 a.m.•136 views

F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated) Exploit

Exploit Title: F5 BIG-IP 16.0.x - iControl REST Remote Code Execution Unauthenticated Exploit Author: Al1ex Vendor Homepage: https://www.f5.com/products/big-ip-services Version: 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5....

10CVSS0.6AI score0.99898EPSS

0day.today•added 2021/04/02 12:0 a.m.•93 views

F5 iControl Server-Side Request Forgery / Remote Command Execution Exploit

This Metasploit module exploits a pre-authentication server-side request forgery vulnerability in the F5 iControl REST API's /mgmt/shared/authn/login endpoint to generate an X-F5-Auth-Token that can be used to execute root commands on an affected BIG-IP or BIG-IQ device. This module requires...

10CVSS0.6AI score0.99898EPSS

Exploit DB•added 2021/04/02 12:0 a.m.•597 views

F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated)

10CVSS9.7AI score0.99898EPSS

Metasploit•added 2021/04/01 5:42 p.m.•136 views

F5 iControl REST Unauthenticated SSRF Token Generation RCE

This module exploits a pre-auth SSRF in the F5 iControl REST API's /mgmt/shared/authn/login endpoint to generate an X-F5-Auth-Token that can be used to execute root commands on an affected BIG-IP or BIG-IQ device. This vulnerability is known as CVE-2021-22986. CVE-2021-22986 affects the following...

10CVSS9.7AI score0.99898EPSS

Packet Storm•added 2021/04/01 12:0 a.m.•714 views

F5 iControl Server-Side Request Forgery / Remote Command Execution

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'F5 iControl REST Unauthenticated SSRF Token Generation RCE', 'Description' = %q This module exploits a pre-auth SSRF in the F5 iControl REST API'...

0.5AI score0.99898EPSS

OSV•added 2021/03/31 6:15 p.m.•2 views

CVE-2021-23001

On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, the upload functionality in BIG-IP Advanced WAF and BIG-IP ASM allows an authenticated user to upload files to the BIG-IP system using a ca...

4.3CVSS5.8AI score0.00572EPSS

OSV•added 2021/03/31 6:15 p.m.•2 views

CVE-2021-22994

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP...

6.1CVSS5.8AI score

NVD•added 2021/03/31 6:15 p.m.•20 views

CVE-2021-22994

6.1CVSS0.00581EPSS

Prion•added 2021/03/31 6:15 p.m.•18 views

Design/Logic Flaw

4CVSS4.5AI score0.00572EPSS

Cvelist•added 2021/03/31 5:38 p.m.•18 views

CVE-2021-23001

4.8AI score0.00572EPSS

CVE•added 2021/03/31 5:38 p.m.•61 views

CVE-2021-23001

CVE-2021-23001 affects BIG-IP Advanced WAF/ASM; an authenticated user can upload files via an undisclosed iControl REST endpoint, potentially exhausting disk space or enabling later attacks. Affected versions include 16.0.0–16.0.1, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x. Remediation: upgrade ...

4.3CVSS5AI score0.00572EPSS

CVE•added 2021/03/31 5:25 p.m.•91 views

CVE-2021-22994

CVE-2021-22994 is an XSS flaw in BIG-IP iControl REST that enables a reflected XSS leading to complete system compromise when the victim is an admin. Affected: BIG-IP versions and branches as per F5 advisories (K66851119 and related entries): 16.x vulnerable 16.0.0–16.0.1; fix in 16.1.0.1/16.1.0+...

6.1CVSS7.2AI score0.00581EPSS

Cvelist•added 2021/03/31 5:25 p.m.•28 views

CVE-2021-22994

7.7AI score0.00581EPSS