CVE-2016-7469 — MEDIUM (5.4)

Vulnerability Description

A stored cross-site scripting (XSS) vulnerability in the Configuration utility device name change page in BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, PSM, WebAccelerator, WOM and WebSafe version 12.0.0 - 12.1.2, 11.4.0 - 11.6.1, and 11.2.1 allows an authenticated user to inject arbitrary web script or HTML. Exploitation requires Resource Administrator or Administrator privileges, and it could cause the Configuration utility client to become unstable.

CVSS Score

5.4

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
F5	Big-Ip Local Traffic Manager	11.2.1
F5	Big-Ip Application Acceleration Manager	11.4.0
F5	Big-Ip Advanced Firewall Manager	11.2.1
F5	Big-Ip Analytics	11.2.1
F5	Big-Ip Access Policy Manager	11.2.1
F5	Big-Ip Application Security Manager	11.2.1
F5	Big-Ip Domain Name System	12.0.0
F5	Big-Ip Edge Gateway	11.2.1
F5	Big-Ip Global Traffic Manager	11.2.1
F5	Big-Ip Link Controller	11.2.1
F5	Big-Ip Policy Enforcement Manager	11.4.0
F5	Big-Ip Protocol Security Module	11.4.0
F5	Big-Ip Webaccelerator	11.2.1
F5	Big-Ip Websafe	11.6.0
F5	Big-Ip Wan Optimization Manager	11.2.1
F5	Enterprise Manager	3.1.1

Related Weaknesses (CWE)

CWE-79

References

http://www.securityfocus.com/bid/95320Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1037559
http://www.securitytracker.com/id/1037560
https://support.f5.com/csp/article/K97285349Vendor Advisory
http://www.securityfocus.com/bid/95320Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1037559
http://www.securitytracker.com/id/1037560
https://support.f5.com/csp/article/K97285349Vendor Advisory

FAQ

What is CVE-2016-7469?

CVE-2016-7469 is a vulnerability with a CVSS score of 5.4 (MEDIUM). A stored cross-site scripting (XSS) vulnerability in the Configuration utility device name change page in BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, PSM, ...

How severe is CVE-2016-7469?

CVE-2016-7469 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-7469?

Check the references section above for vendor advisories and patch information. Affected products include: F5 Big-Ip Local Traffic Manager, F5 Big-Ip Application Acceleration Manager, F5 Big-Ip Advanced Firewall Manager, F5 Big-Ip Analytics, F5 Big-Ip Access Policy Manager.