F5 BIG-IP® Configuration Utility Persistent Cross-Site Scripting Vulnerability
By: Roger Wemyss
Dell SecureWorks Security Advisory SWRX-2012-007
Advisory Information
- Title: F5 BIG-IP® Configuration Utility persistent cross-site scripting vulnerability
- Advisory ID: SWRX-2012-007
- Date published: Wednesday, October 2, 2012
- CVE: CVE-2012-2975
- CVSS v2 base score: 4.3
- Date of last update: Wednesday, October 2, 2012
- Vendors contacted: F5
- Release mode: Coordinated
- Discovered by: Roger Wemyss, Dell SecureWorks
Summary
A vulnerability exists in the BIG-IP® Configuration Utility due to improper sanitization of the “Top Requested URLs” table on the Overview: Traffic page. Malicious content is not properly sanitized before being stored and is later returned to an administrator in dynamically generated web content. Remote attackers could leverage this vulnerability to conduct persistent cross-site scripting attacks. When a user navigates to the Overview: Traffic page within the BIG-IP Configuration Utility, the content of the “Top Requested URLs” table is loaded into the affected JavaScript array and is executed in the user’s browser session. Successful exploitation may aid an attacker in retrieving session cookies, stealing recently submitted data, or launching further attacks.
PGP Signature (PC Users: You may need to right click your mouse and select "Save As" or "Save Target As" and then open with Notepad)
