F5 Networks, Inc. Security Vulnerabilities

F5 Networks BIG-IP : iControl REST and tmsh vulnerability (K83284425)

The version of F5 Networks BIG-IP installed on the remote host is prior to 14.1.5.3 / 15.1.8.1 / 16.1.3.3 / 17.0.0.2 / 17.1.0. It is, therefore, affected by a vulnerability as referenced in the K83284425 advisory. In BIG-IP versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before...

F5 Networks BIG-IP : BIG-IP SIP profile vulnerability (K34525368)

The version of F5 Networks BIG-IP installed on the remote host is prior to 14.1.5.3 / 15.1.8 / 16.1.3.3. It is, therefore, affected by a vulnerability as referenced in the K34525368 advisory. On BIG-IP versions 16.1.x before 16.1.3.3, 15.1.x before 15.1.8, 14.1.x before 14.1.5.3, and all...

F5 Networks BIG-IP : BIG-IP APM OAuth vulnerability (K20717585)

The version of F5 Networks BIG-IP installed on the remote host is prior to 14.1.5.3. It is, therefore, affected by a vulnerability as referenced in the K20717585 advisory. On version 14.1.x before 14.1.5.3, and all versions of 13.1.x, when the BIG-IP APM system is configured with all the...

F5 Networks BIG-IP : BIG-IP Virtual Edition vulnerability (K24572686)

The version of F5 Networks BIG-IP installed on the remote host is prior to 14.1.5.3 / 15.1.8. It is, therefore, affected by a vulnerability as referenced in the K24572686 advisory. On BIG-IP Virtual Edition versions 15.1x beginning in 15.1.4 to before 15.1.8 and 14.1.x beginning in 14.1.5 to...

F5 Networks BIG-IP : BIG-IP Packet Filters vulnerability (K31856317)

The version of F5 Networks BIG-IP installed on the remote host is prior to 14.1.4.6 / 15.1.5.1 / 16.1.2.2 / 17.0.0. It is, therefore, affected by a vulnerability as referenced in the K31856317 advisory. On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, and 14.1.x...

F5 Networks BIG-IP : BIG-IP iQuery mesh vulnerability (K000132972)

The version of F5 Networks BIG-IP installed on the remote host is prior to 14.1.5.4 / 15.1.8.2 / 16.1.3.4 / 17.1.0.1. It is, therefore, affected by a vulnerability as referenced in the K000132972 advisory. When DNS is provisioned, an authenticated remote command execution vulnerability exists in...

F5 Networks BIG-IP : BIG-IP UDP profile vulnerability (K20145107)

The version of F5 Networks BIG-IP installed on the remote host is prior to 14.1.5.4 / 15.1.8.2 / 16.1.3.4 / 17.1.0. It is, therefore, affected by a vulnerability as referenced in the K20145107 advisory. When UDP profile with idle timeout set to immediate or the value 0 is configured on a virtual...

F5 Networks BIG-IP : BIG-IP CGNAT LSN vulnerability (K54082580)

The version of F5 Networks BIG-IP installed on the remote host is prior to 13.1.5 / 14.1.4.6 / 15.1.5.1 / 16.1.0 / 17.0.0. It is, therefore, affected by a vulnerability as referenced in the K54082580 advisory. On F5 BIG-IP 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, and...

F5 Networks BIG-IP : BIG-IP Stream profile vulnerability (K99123750)

The version of F5 Networks BIG-IP installed on the remote host is prior to 16.1.2.2 / 17.0.0. It is, therefore, affected by a vulnerability as referenced in the K99123750 advisory. On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, when the stream profile is configured on a virtual server, ...

F5 Networks BIG-IP : BIG-IP DNS resolver vulnerability (K85054496)

The version of F5 Networks BIG-IP installed on the remote host is prior to 15.1.5.1 / 16.1.2.2 / 17.0.0. It is, therefore, affected by a vulnerability as referenced in the K85054496 advisory. On F5 BIG-IP 16.1.x versions prior to 16.1.2.2 and 15.1.x versions prior to 15.1.5.1, when a BIG-IP...

F5 Networks BIG-IP : BIG-IP SSL/TLS vulnerability (K09121542)

The version of F5 Networks BIG-IP installed on the remote host is prior to 13.0.0. It is, therefore, affected by a vulnerability as referenced in the K09121542 advisory. On all versions of BIG-IP 12.1.x and 11.6.x, the original TLS protocol includes a weakness in the master secret negotiation...

OctoPrint has an Authentication Bypass via X-Forwarded-For Header when autologinLocal is enabled

Impact OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the autologinLocal option is enabled within config.yaml, even if they come from networks that are not configured as localNetworks, by...

F5 Networks BIG-IP : BIG-IP HTTP profile vulnerability (K96924184)

The version of F5 Networks BIG-IP installed on the remote host is prior to 16.1.2 / 17.0.0. It is, therefore, affected by a vulnerability as referenced in the K96924184 advisory. On BIG-IP version 16.1.x before 16.1.2, when an HTTP profile is configured on a virtual server, undisclosed...

F5 Networks BIG-IP : BIG-IP MRF Diameter vulnerability (K82793463)

The version of F5 Networks BIG-IP installed on the remote host is prior to 13.1.5 / 14.1.4.4 / 15.1.4.1 / 16.1.2. It is, therefore, affected by a vulnerability as referenced in the K82793463 advisory. On BIG-IP version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all...

CVE-2024-5179 Cowidgets – Elementor Addons <= 1.1.1 - Authenticated (Contributor+) Local File Inclusion

The Cowidgets – Elementor Addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.1 via the 'item_style' and 'style' parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute...

@workos-inc/authkit-nextjs session replay vulnerability

Impact A user can reuse an expired session by controlling the x-workos-session header. Patches Patched in...

CVE-2023-30306

An issue discovered in Mercury x30g, Mercury YR1800XG routers allows attackers to hijack TCP sessions which could lead to a denial of...

CVE-2023-0583

The VK Blocks plugin for WordPress is vulnerable to improper authorization via the REST 'update_vk_blocks_options' function in versions up to, and including, 1.57.0.5. This allows authenticated attackers, with contributor-level permissions or above, to change plugin settings including default...

CVE-2024-4362

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siteorigin_widget' shortcode in all versions up to, and including, 1.60.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible....

CVE-2022-31153

OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK Rollup. Version 0.2.0 is vulnerable to an error that renders account contracts unusable on live networks. This issue affects all accounts (vanilla and ethereum flavors) in the...

@workos-inc/authkit-nextjs session replay vulnerability

Impact A user can reuse an expired session by controlling the x-workos-session header. Patches Patched in...

F5 Networks BIG-IP : Side-channel processor vulnerability (K35135935)

The version of F5 Networks BIG-IP installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the K35135935 advisory. Systems with microprocessors utilizing speculative execution may allow unauthorized disclosure of information to an...

F5 Networks BIG-IP : BIG-IP DHCPv6 vulnerability (K36228121)

An attacker sending specifically crafted DHCPv6 requests through a BIG-IP virtual server configured with a DHCPv6 profile may be able to cause the Traffic Management Microkernel (TMM) process to produce a core file. (CVE-2019-6643) Impact This vulnerability may allow an attacker who can route...

CVE-2024-4611

The AppPresser plugin for WordPress is vulnerable to improper missing encryption exception handling on the 'decrypt_value' and on the 'doCookieAuth' functions in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to log in as any existing user on the...

CVE-2024-4611 AppPresser <= 4.3.2 - Improper Missing Encryption Exception Handling to Authentication Bypass

The AppPresser plugin for WordPress is vulnerable to improper missing encryption exception handling on the 'decrypt_value' and on the 'doCookieAuth' functions in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to log in as any existing user on the...

CVE-2024-4611 AppPresser <= 4.3.2 - Improper Missing Encryption Exception Handling to Authentication Bypass

The AppPresser plugin for WordPress is vulnerable to improper missing encryption exception handling on the 'decrypt_value' and on the 'doCookieAuth' functions in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to log in as any existing user on the...

F5 Networks BIG-IP : GNU C Library vulnerability (K64119434)

The version of F5 Networks BIG-IP installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the K64119434 advisory. In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives,...

CVE-2024-4362 SiteOrigin Widgets Bundle <= 1.60.0 - - Authenticated (Contributor+) Stored Cross-Site Scripting via 'siteorigin_widget' Shortcode

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siteorigin_widget' shortcode in all versions up to, and including, 1.60.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible....

F5 Networks BIG-IP : Apache Commons FileUpload vulnerability (K000133052)

The version of F5 Networks BIG-IP installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the K000133052 advisory. Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the...

F5 Networks BIG-IP : Linux kernel vulnerability for (K52379673)

The version of F5 Networks BIG-IP installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the K52379673 advisory. A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file...

CVE-2024-1467 Starter Templates — Elementor, WordPress & Beaver Builder Templates <= 4.1.6 - Authenticated (Contributor+) Server-Side Request Forgery

The Starter Templates — Elementor, WordPress & Beaver Builder Templates plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.1.6 via the ai_api_request(). This makes it possible for authenticated attackers, with contributor-level access and...

CVE-2023-34237

SABnzbd is an open source automated Usenet download tool. A design flaw was discovered in SABnzbd that could allow remote code execution. Manipulating the Parameters setting in the Notification Script functionality allows code execution with the privileges of the SABnzbd process. Exploiting the...

F5 Networks BIG-IP : BIG-IP PEM vulnerability (K000135946)

The version of F5 Networks BIG-IP installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the K000135946 advisory. When a BIG-IP PEM classification profile is configured on a UDP virtual server, undisclosed requests can cause the...

F5 Networks BIG-IP : SSB Variant 4 vulnerability (K29146534)

The version of F5 Networks BIG-IP installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the K29146534 advisory. Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the...

CVE-2024-2793

The Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress is vulnerable to Stored Cross-Site Scripting via comments in all versions up to, and including, 3.30 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated.....

CVE-2023-30307

An issue discovered in TP-LINK TL-R473GP-AC, TP-LINK XDR6020, TP-LINK TL-R479GP-AC, TP-LINK TL-R4239G, TP-LINK TL-WAR1200L, and TP-LINK TL-R476G routers allows attackers to hijack TCP sessions which could lead to a denial of...

CVE-2023-30307

An issue discovered in TP-LINK TL-R473GP-AC, TP-LINK XDR6020, TP-LINK TL-R479GP-AC, TP-LINK TL-R4239G, TP-LINK TL-WAR1200L, and TP-LINK TL-R476G routers allows attackers to hijack TCP sessions which could lead to a denial of...

CVE-2023-30307

An issue discovered in TP-LINK TL-R473GP-AC, TP-LINK XDR6020, TP-LINK TL-R479GP-AC, TP-LINK TL-R4239G, TP-LINK TL-WAR1200L, and TP-LINK TL-R476G routers allows attackers to hijack TCP sessions which could lead to a denial of...

CVE-2023-30306

An issue discovered in Mercury x30g, Mercury YR1800XG routers allows attackers to hijack TCP sessions which could lead to a denial of...

CVE-2023-0584

The VK Blocks plugin for WordPress is vulnerable to improper authorization via the REST 'update_options' function in versions up to, and including, 1.57.0.5. This allows authenticated attackers, with contributor-level permissions or above, to change the 'vk_font_awesome_version' option to an...

Tendermint Core vulnerable to Uncontrolled Resource Consumption

Description Tendermint Core v0.34.0 introduced a new way of handling evidence of misbehavior. As part of this, we added a new Timestamp field to Evidence structs. This timestamp would be calculated using the same algorithm that is used when a block is created and proposed. (This algorithm relies...

Authentication Bypass

OctoPrint is vulnerable to an Authentication Bypass. The vulnerability is due to an unauthenticated attacker being able to bypass authentication by spoofing their IP via the X-Forwarded-For header when the autologinLocal option is enabled, even if they are from networks not configured as...

F5 Networks BIG-IP Edge Client for macOS Privilege Escalation (K000135040)

The version of F5 Networks BIG-IP installed on the remote macOS host is prior or equal to 17.1.0 / 16.1.4 / 15.1.10 / 14.1.5 / 13.1.5. It is, therefore, affected by a vulnerability as referenced in the K000135040 advisory. An insufficient verification of data may allow an attacker elevation of...

F5 Networks BIG-IP : BIG-IP APM virtual server vulnerability (K95503300)

The version of F5 Networks BIG-IP installed on the remote host is prior to 14.1.5.3 / 15.1.7 / 16.1.3.3 / 17.0.0.2 / 17.1.0. It is, therefore, affected by a vulnerability as referenced in the K95503300 advisory. On versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.7,...

F5 Networks BIG-IP : BIG-IP AFM virtual server vulnerability (K24358905)

The version of F5 Networks BIG-IP installed on the remote host is prior to 13.1.5 / 14.1.4.5 / 15.1.4.1 / 16.1.2 / 17.0.0. It is, therefore, affected by a vulnerability as referenced in the K24358905 advisory. On BIG-IP AFM version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before...

F5 Networks BIG-IP : BIG-IP FIPS HSM password vulnerability (K000135449)

The version of F5 Networks BIG-IP installed on the remote host is prior to 13.1.4 / 14.1.4 / 15.1.1 / 16.0.0. It is, therefore, affected by a vulnerability as referenced in the K000135449 advisory. Specific F5 BIG-IP platforms with Cavium Nitrox FIPS HSM cards generate a deterministic password...

F5 Networks BIG-IP : BIG-IP SIP ALG profile vulnerability (K51539421)

The version of F5 Networks BIG-IP installed on the remote host is prior to 14.1.4.6 / 15.1.5 / 16.1.2.2 / 17.0.0. It is, therefore, affected by a vulnerability as referenced in the K51539421 advisory. On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5, and 14.1.x...

F5 Networks BIG-IP : TMUI authenticated remote command execution vulnerability (K70031188)

The version of F5 Networks BIG-IP installed on the remote host is prior to 11.6.5.3 / 12.1.5.3 / 13.1.3.6 / 14.1.4 / 15.1.2.1 / 16.0.1.1 / 16.1.0. It is, therefore, affected by a vulnerability as referenced in the K70031188 advisory. On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before...

F5 Networks BIG-IP : BIG-IP Configuration utility XSS vulnerability (K000132726)

The version of F5 Networks BIG-IP installed on the remote host is prior to 14.1.5.4 / 15.1.8.2 / 16.1.3.4 / 17.1.0.1. It is, therefore, affected by a vulnerability as referenced in the K000132726 advisory. Multiple reflected cross-site scripting (XSS) vulnerabilities exist in undisclosed pages of.....

F5 Networks BIG-IP : BIG-IP Net HSM script vulnerability (K47662005)

The version of F5 Networks BIG-IP installed on the remote host is prior to 14.1.4.6 / 15.1.5.1 / 16.1.0 / 17.0.0. It is, therefore, affected by a vulnerability as referenced in the K47662005 advisory. On F5 BIG-IP 15.1.x versions prior to 15.1.5.1 and 14.1.x versions prior to 14.1.4.6, when...