Vulnerability Name:

CVE-2019-6636 (CCN-164410)

Assigned:2019-07-03
Published:2019-07-03
Updated:2020-08-24
Summary:On BIG-IP (AFM, ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.4, a stored cross-site scripting vulnerability in AFM feed list. In the worst case, an attacker can store a CSRF which results in code execution as the admin user. The level of user role which can perform this attack are resource administrator and administrator.
CVSS v3 Severity:8.4 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H)
8.0 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
4.8 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:8.5 High (CVSS v2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
4.7 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:M/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Multiple_Instances
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
CWE-352
Vulnerability Consequences:Cross-Site Scripting
References:Source: MITRE
Type: CNA
CVE-2019-6636

Source: BID
Type: Third Party Advisory, VDB Entry
109108

Source: XF
Type: UNKNOWN
f5-cve20196636-xss(164410)

Source: CCN
Type: F5 Security Advisory K68151373
IP Intelligence Feed List TMUI vulnerability CVE-2019-6636

Source: CONFIRM
Type: Vendor Advisory
https://support.f5.com/csp/article/K68151373

Vulnerable Configuration:Configuration 1:
  • cpe:/a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* (Version >= 12.0.0 and < 12.1.4.1)
  • OR cpe:/a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* (Version >= 13.0.0 and < 13.1.1.5)
  • OR cpe:/a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* (Version >= 14.0.0 and < 14.0.0.5)
  • OR cpe:/a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.0.6)

    • Configuration 2:
  • cpe:/a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* (Version >= 12.0.0 and < 12.1.4.1)
  • OR cpe:/a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* (Version >= 13.0.0 and < 13.1.1.5)
  • OR cpe:/a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* (Version >= 14.0.0 and < 14.0.0.5)
  • OR cpe:/a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.0.6)

    • * Denotes that component is vulnerable
    BACK
    f5 big-ip advanced firewall manager *
    f5 big-ip advanced firewall manager *
    f5 big-ip advanced firewall manager *
    f5 big-ip advanced firewall manager *
    f5 big-ip application security manager *
    f5 big-ip application security manager *
    f5 big-ip application security manager *
    f5 big-ip application security manager *