CVE-2023-27378 | ByteOS Network

Vulnerability Details :

CVE-2023-27378

Assigner-f5

Assigner Org ID-9dacffd4-cb11-413f-8451-fbbfd4ddc0ab

Published At-03 May, 2023 | 14:33

Updated At-29 Jan, 2025 | 21:03

BIG-IP TMUI XSS vulnerability

Multiple reflected cross-site scripting (XSS) vulnerabilities exist in undisclosed pages of the BIG-IP Configuration utility which allow an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

EPSS History

Score

Latest Score

-

N/A

Percentile

Latest Percentile

-

N/A

▼Common Vulnerabilities and Exposures (CVE)

Assigner:f5

Assigner Org ID:9dacffd4-cb11-413f-8451-fbbfd4ddc0ab

Published At:03 May, 2023 | 14:33

Updated At:29 Jan, 2025 | 21:03

▼CVE Numbering Authority (CNA)

BIG-IP TMUI XSS vulnerability

Multiple reflected cross-site scripting (XSS) vulnerabilities exist in undisclosed pages of the BIG-IP Configuration utility which allow an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Affected Products

Vendor

Product

Modules

All Modules

Default Status

unknown

Versions

Affected

From 17.1.0 before 17.1.0.1 (semver)
From 17.0.0 before * (semver)
From 16.1.0 before 16.1.3.4 (semver)
From 15.1.0 before 15.1.8.2 (semver)
From 14.1.0 before 14.1.5.4 (semver)
From 13.1.0 before * (semver)

Problem Types

Type	CWE ID	Description
CWE	CWE-79	CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Type: CWE

CWE ID: CWE-79

Description: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Metrics

Version	Base score	Base severity	Vector
3.1	7.5	HIGH	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Version: 3.1

Base score: 7.5

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Credits

finder

F5 acknowledges Yuya Chudo of Secureworks Japan K. K. for bringing this issue to our attention and following the highest standards of coordinated disclosure.

References

Hyperlink	Resource
https://my.f5.com/manage/s/article/K000132726	vendor-advisory

Hyperlink: https://my.f5.com/manage/s/article/K000132726

Resource:

vendor-advisory

▼Authorized Data Publishers (ADP)

1. CVE Program Container

References

Hyperlink	Resource
https://my.f5.com/manage/s/article/K000132726	vendor-advisory x_transferred

Hyperlink: https://my.f5.com/manage/s/article/K000132726

Resource:

vendor-advisory

x_transferred

2. CISA ADP Vulnrichment

Metrics Other Info

▼National Vulnerability Database (NVD)

Source:f5sirt@f5.com

Published At:03 May, 2023 | 15:15

Updated At:10 May, 2023 | 18:42

Multiple reflected cross-site scripting (XSS) vulnerabilities exist in undisclosed pages of the BIG-IP Configuration utility which allow an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Secondary	3.1	7.5	HIGH	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Type: Primary

Version: 3.1

Base score: 6.1

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Type: Secondary

Version: 3.1

Base score: 7.5

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CPE Matches

>>big-ip_access_policy_manager>>Versions from 13.1.0(inclusive) to 13.1.5(inclusive)

cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*

>>big-ip_access_policy_manager>>Versions from 14.1.0(inclusive) to 14.1.5.4(exclusive)

cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*

>>big-ip_access_policy_manager>>Versions from 15.1.0(inclusive) to 15.1.8.2(exclusive)

cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*

>>big-ip_access_policy_manager>>Versions from 16.1.0(inclusive) to 16.1.3.4(exclusive)

cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*

>>big-ip_access_policy_manager>>Versions from 17.0.0(inclusive) to 17.1.0.1(exclusive)

cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*

>>big-ip_advanced_firewall_manager>>Versions from 13.1.0(inclusive) to 13.1.5(inclusive)

cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*

>>big-ip_advanced_firewall_manager>>Versions from 14.1.0(inclusive) to 14.1.5.4(exclusive)

cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*

>>big-ip_advanced_firewall_manager>>Versions from 15.1.0(inclusive) to 15.1.8.2(exclusive)

cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*

>>big-ip_advanced_firewall_manager>>Versions from 16.1.0(inclusive) to 16.1.3.4(exclusive)

cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*

>>big-ip_advanced_firewall_manager>>Versions from 17.0.0(inclusive) to 17.1.0.1(exclusive)

cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*

>>big-ip_advanced_web_application_firewall>>Versions from 13.1.0(inclusive) to 13.1.5(inclusive)

cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*

>>big-ip_advanced_web_application_firewall>>Versions from 14.1.0(inclusive) to 14.1.5.4(exclusive)

cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*

>>big-ip_advanced_web_application_firewall>>Versions from 15.1.0(inclusive) to 15.1.8.2(exclusive)

cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*

>>big-ip_advanced_web_application_firewall>>Versions from 16.1.0(inclusive) to 16.1.3.4(exclusive)

cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*

>>big-ip_advanced_web_application_firewall>>Versions from 17.0.0(inclusive) to 17.1.0.1(exclusive)

cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*

>>big-ip_analytics>>Versions from 13.1.0(inclusive) to 13.1.5(inclusive)

cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*

>>big-ip_analytics>>Versions from 14.1.0(inclusive) to 14.1.5.4(exclusive)

cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*

>>big-ip_analytics>>Versions from 15.1.0(inclusive) to 15.1.8.2(exclusive)

cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*

>>big-ip_analytics>>Versions from 16.1.0(inclusive) to 16.1.3.4(exclusive)

cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*

>>big-ip_analytics>>Versions from 17.0.0(inclusive) to 17.1.0.1(exclusive)

cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*

>>big-ip_application_acceleration_manager>>Versions from 13.1.0(inclusive) to 13.1.5(inclusive)

cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*

>>big-ip_application_acceleration_manager>>Versions from 14.1.0(inclusive) to 14.1.5.4(exclusive)

cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*

>>big-ip_application_acceleration_manager>>Versions from 15.1.0(inclusive) to 15.1.8.2(exclusive)

cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*

>>big-ip_application_acceleration_manager>>Versions from 16.1.0(inclusive) to 16.1.3.4(exclusive)

cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*

>>big-ip_application_acceleration_manager>>Versions from 17.0.0(inclusive) to 17.1.0.1(exclusive)

cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*

>>big-ip_application_security_manager>>Versions from 13.1.0(inclusive) to 13.1.5(inclusive)

cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*

>>big-ip_application_security_manager>>Versions from 14.1.0(inclusive) to 14.1.5.4(exclusive)

cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*

>>big-ip_application_security_manager>>Versions from 15.1.0(inclusive) to 15.1.8.2(exclusive)

cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*

>>big-ip_application_security_manager>>Versions from 16.1.0(inclusive) to 16.1.3.4(exclusive)

cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*

>>big-ip_application_security_manager>>Versions from 17.0.0(inclusive) to 17.1.0.1(exclusive)

cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*

>>big-ip_application_visibility_and_reporting>>Versions from 13.1.0(inclusive) to 13.1.5(inclusive)

cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:*:*:*:*:*:*:*:*

>>big-ip_application_visibility_and_reporting>>Versions from 14.1.0(inclusive) to 14.1.5.4(exclusive)

cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:*:*:*:*:*:*:*:*

>>big-ip_application_visibility_and_reporting>>Versions from 15.1.0(inclusive) to 15.1.8.2(exclusive)

cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:*:*:*:*:*:*:*:*

>>big-ip_application_visibility_and_reporting>>Versions from 16.1.0(inclusive) to 16.1.3.4(exclusive)

cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:*:*:*:*:*:*:*:*

>>big-ip_application_visibility_and_reporting>>Versions from 17.0.0(inclusive) to 17.1.0.1(exclusive)

cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:*:*:*:*:*:*:*:*

>>big-ip_carrier-grade_nat>>Versions from 13.1.0(inclusive) to 13.1.5(inclusive)

cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*

>>big-ip_carrier-grade_nat>>Versions from 14.1.0(inclusive) to 14.1.5.4(exclusive)

cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*

>>big-ip_carrier-grade_nat>>Versions from 15.1.0(inclusive) to 15.1.8.2(exclusive)

cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*

>>big-ip_carrier-grade_nat>>Versions from 16.1.0(inclusive) to 16.1.3.4(exclusive)

cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*

>>big-ip_carrier-grade_nat>>Versions from 17.0.0(inclusive) to 17.1.0.1(exclusive)

cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*

>>big-ip_ddos_hybrid_defender>>Versions from 13.1.0(inclusive) to 13.1.5(inclusive)

cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*

>>big-ip_ddos_hybrid_defender>>Versions from 14.1.0(inclusive) to 14.1.5.4(exclusive)

cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*

>>big-ip_ddos_hybrid_defender>>Versions from 15.1.0(inclusive) to 15.1.8.2(exclusive)

cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*

>>big-ip_ddos_hybrid_defender>>Versions from 16.1.0(inclusive) to 16.1.3.4(exclusive)

cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*

>>big-ip_ddos_hybrid_defender>>Versions from 17.0.0(inclusive) to 17.1.0.1(exclusive)

cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*

>>big-ip_domain_name_system>>Versions from 13.1.0(inclusive) to 13.1.5(inclusive)

cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*

>>big-ip_domain_name_system>>Versions from 14.1.0(inclusive) to 14.1.5.4(exclusive)

cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*

>>big-ip_domain_name_system>>Versions from 15.1.0(inclusive) to 15.1.8.2(exclusive)

cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*

>>big-ip_domain_name_system>>Versions from 16.1.0(inclusive) to 16.1.3.4(exclusive)

cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*

>>big-ip_domain_name_system>>Versions from 17.0.0(inclusive) to 17.1.0.1(exclusive)

cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-79	Primary	f5sirt@f5.com

CWE ID: CWE-79

Type: Primary

Source: f5sirt@f5.com

References

Hyperlink	Source	Resource
https://my.f5.com/manage/s/article/K000132726	f5sirt@f5.com	Vendor Advisory

Hyperlink: https://my.f5.com/manage/s/article/K000132726

Source: f5sirt@f5.com

Resource:

Vendor Advisory