Skip to main content
Close
0 Results Found
              Back To Results
                Advisories

                F5 BIG-IP® Configuration Utility Persistent Cross-Site Scripting Vulnerability

                By: Roger Wemyss

                Dell SecureWorks Security Advisory SWRX-2012-007

                Advisory Information

                • Title: F5 BIG-IP® Configuration Utility persistent cross-site scripting vulnerability
                • Advisory ID: SWRX-2012-007
                • Date published: Wednesday, October 2, 2012
                • CVE: CVE-2012-2975
                • CVSS v2 base score: 4.3
                • Date of last update: Wednesday, October 2, 2012
                • Vendors contacted: F5
                • Release mode: Coordinated
                • Discovered by: Roger Wemyss, Dell SecureWorks

                Summary

                A vulnerability exists in the BIG-IP® Configuration Utility due to improper sanitization of the “Top Requested URLs” table on the Overview: Traffic page. Malicious content is not properly sanitized before being stored and is later returned to an administrator in dynamically generated web content. Remote attackers could leverage this vulnerability to conduct persistent cross-site scripting attacks. When a user navigates to the Overview: Traffic page within the BIG-IP Configuration Utility, the content of the “Top Requested URLs” table is loaded into the affected JavaScript array and is executed in the user’s browser session. Successful exploitation may aid an attacker in retrieving session cookies, stealing recently submitted data, or launching further attacks.

                Download the PDF

                PGP Signature (PC Users: You may need to right click your mouse and select "Save As" or "Save Target As" and then open with Notepad)

                SecureWorks CTU Public Key


                Related Content

                Close Modal
                Close Modal