F5 Networks BIG-IP : ASM < 11.6.0 Response Body XSS

medium Nessus Plugin ID 81597

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

The F5 Networks Application Security Manager (ASM) running on the remote device is prior to version 11.6.0. It is, therefore, affected by a cross-site scripting vulnerability due to improper validation of user-supplied input to the 'Response Body' field when a new user account is being created. A remote attacker can exploit this to inject HTML or arbitrary web script, which then can be run by an administrative account using the 'Show' button in the management console.

Solution

Upgrade ASM to version 11.6.0 or later.

See Also

http://seclists.org/fulldisclosure/2015/Jan/40

Plugin Details

Severity: Medium

ID: 81597

File Name: f5_bigip_asm_11_6_0.nasl

Version: 1.3

Type: local

Published: 3/2/2015

Updated: 7/11/2018

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/a:f5:big-ip_application_security_manager

Required KB Items: Host/local_checks_enabled, Host/BIG-IP/modules, Host/BIG-IP/version

Exploit Ease: No known exploits are available

Patch Publication Date: 10/24/2014

Vulnerability Publication Date: 1/12/2015

Reference Information

CVE: CVE-2015-1050

BID: 72014