In F5 BIG-IP APM 12.0.0 up to and including 12.1.2, non-authenticated users may be able to inject JavaScript into a request that will then be rendered and executed in the context of the Administrative user when the Administrative user is viewing the Access System Logs, allowing the non-authenticated user to carry out a Cross Site Scripting (XSS) attack against the Administrative user.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
f5 big-ip access policy manager 12.1.2 |
||
f5 big-ip access policy manager 12.1.0 |
||
f5 big-ip access policy manager 12.0.0 |
||
f5 big-ip access policy manager 12.1.1 |