CVE-2019-6636

Severity CVSS v4.0:
Pending analysis
Type:
CWE-79 Cross-Site Scripting (XSS)
Publication date:
03/07/2019
Last modified:
17/06/2026

Description

On BIG-IP (AFM, ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.4, a stored cross-site scripting vulnerability in AFM feed list. In the worst case, an attacker can store a CSRF which results in code execution as the admin user. The level of user role which can perform this attack are resource administrator and administrator.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* 12.0.0 (including) 12.1.4.1 (excluding)
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* 13.0.0 (including) 13.1.1.5 (excluding)
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* 14.0.0 (including) 14.0.0.5 (excluding)
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* 14.1.0 (including) 14.1.0.6 (excluding)
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* 12.0.0 (including) 12.1.4.1 (excluding)
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* 13.0.0 (including) 13.1.1.5 (excluding)
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* 14.0.0 (including) 14.0.0.5 (excluding)
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* 14.1.0 (including) 14.1.0.6 (excluding)