CVE-2019-6636

Published Jul 3, 2019

Last updated 4 years ago

CVSS high 8.4

Overview

Description: On BIG-IP (AFM, ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.4, a stored cross-site scripting vulnerability in AFM feed list. In the worst case, an attacker can store a CSRF which results in code execution as the admin user. The level of user role which can perform this attack are resource administrator and administrator.
Source: f5sirt@f5.com
NVD status: Analyzed

Risk scores

CVSS 3.0

Type: Primary
Base score: 8.4
Impact score: 6
Exploitability score: 1.7
Vector string: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Severity: HIGH

CVSS 2.0

Type: Primary
Base score: 8.5
Impact score: 10
Exploitability score: 6.8
Vector string: AV:N/AC:M/Au:S/C:C/I:C/A:C

Weaknesses

nvd@nist.gov: CWE-352

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6D527234-B78F-4D27-94B9-D9B69F44B47B",
            "versionEndExcluding": "12.1.4.1",
            "versionStartIncluding": "12.0.0"
          },
          {
            "criteria": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7F602F8C-9548-47C4-A15E-FE52FDC37BFA",
            "versionEndExcluding": "13.1.1.5",
            "versionStartIncluding": "13.0.0"
          },
          {
            "criteria": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D1334426-195B-4AAF-9246-CDEA7C7AA5AA",
            "versionEndExcluding": "14.0.0.5",
            "versionStartIncluding": "14.0.0"
          },
          {
            "criteria": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7F17BEFE-DE6D-4DE1-A209-EEDA683A2594",
            "versionEndExcluding": "14.1.0.6",
            "versionStartIncluding": "14.1.0"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3DB7FE34-A859-4E99-AC3C-AA83BDEF96EB",
            "versionEndExcluding": "12.1.4.1",
            "versionStartIncluding": "12.0.0"
          },
          {
            "criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D1209416-7A72-4B4E-B493-DCB1A04A39E1",
            "versionEndExcluding": "13.1.1.5",
            "versionStartIncluding": "13.0.0"
          },
          {
            "criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A313A6FD-0436-44B7-A4E9-F96FDE8224C9",
            "versionEndExcluding": "14.0.0.5",
            "versionStartIncluding": "14.0.0"
          },
          {
            "criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6E65DCA8-A17D-4E31-B8FC-6180C3CC9807",
            "versionEndExcluding": "14.1.0.6",
            "versionStartIncluding": "14.1.0"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.0

CVSS 2.0

Weaknesses

Social media

Configurations

References