CVSS: 6.1EPSS: 0%CPEs: 84EXPL: 0CVE-2021-22994
https://notcve.org/view.php?id=CVE-2021-22994
31 Mar 2021 — On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the victim user is granted the admin role. This vulnerability is due to an incomplete fix for CVE-2020-5948. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. En... • https://support.f5.com/csp/article/K66851119 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 1%CPEs: 84EXPL: 0CVE-2021-22989
https://notcve.org/view.php?id=CVE-2021-22989
31 Mar 2021 — On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, when running in Appliance mode with Advanced WAF or BIG-IP ASM provisioned, the TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. En BIG-IP versiones 16.0.x anterior... • https://support.f5.com/csp/article/K56142644 •
CVSS: 9.0EPSS: 1%CPEs: 84EXPL: 0CVE-2021-22990
https://notcve.org/view.php?id=CVE-2021-22990
31 Mar 2021 — On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, on systems with Advanced WAF or BIG-IP ASM provisioned, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. En BIG-IP versiones... • https://support.f5.com/csp/article/K45056101 •
CVSS: 9.9EPSS: 1%CPEs: 84EXPL: 0CVE-2021-22987
https://notcve.org/view.php?id=CVE-2021-22987
31 Mar 2021 — On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3 when running in Appliance mode, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. En BIG-IP versiones 16.0.x anteriores a 16.0... • https://support.f5.com/csp/article/K18132488 •
CVSS: 9.0EPSS: 2%CPEs: 84EXPL: 0CVE-2021-22988
https://notcve.org/view.php?id=CVE-2021-22988
31 Mar 2021 — On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. En BIG-IP versiones 16.0.x anteriores a 16.0.1.1, versiones 15.1.x anteriores a 15.1.2.1, versiones 14.1.x anterior... • https://support.f5.com/csp/article/K70031188 •
CVSS: 9.8EPSS: 5%CPEs: 84EXPL: 1CVE-2021-22992 – F5 Big IP ASM is_hdr_criteria_matches Buffer Overflow
https://notcve.org/view.php?id=CVE-2021-22992
11 Mar 2021 — On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, a malicious HTTP response to an Advanced WAF/BIG-IP ASM virtual server with Login Page configured in its policy may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may allow remote code execution (RCE), leading to complete system compromise. Note: Software versions which have reached End of Software Development (E... • https://packetstorm.news/files/id/161753 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 6.1EPSS: 0%CPEs: 12EXPL: 0CVE-2021-22984
https://notcve.org/view.php?id=CVE-2021-22984
12 Feb 2021 — On BIG-IP Advanced WAF and ASM version 15.1.x before 15.1.0.2, 15.0.x before 15.0.1.4, 14.1.x before 14.1.2.5, 13.1.x before 13.1.3.4, 12.1.x before 12.1.5.2, and 11.6.x before 11.6.5.2, when receiving a unauthenticated client request with a maliciously crafted URI, a BIG-IP Advanced WAF or ASM virtual server configured with a DoS profile with Proactive Bot Defense (versions prior to 14.1.0), or a Bot Defense profile (versions 14.1.0 and later), may subject clients and web servers to Open Redirection attack... • https://support.f5.com/csp/article/K33440533 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.3EPSS: 0%CPEs: 84EXPL: 0CVE-2021-22978
https://notcve.org/view.php?id=CVE-2021-22978
12 Feb 2021 — On BIG-IP version 16.0.x before 16.0.1, 15.1.x before 15.1.1, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all 12.1.x and 11.6.x versions, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of BIG-IP if the victim user is granted the admin role. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. En BIG-IP versiones 16.0.x anteriores a 16.0.1, versiones 15.1.x anteriores a 15.1.1, versiones 14... • https://support.f5.com/csp/article/K87502622 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 28EXPL: 0CVE-2021-22981
https://notcve.org/view.php?id=CVE-2021-22981
12 Feb 2021 — On all versions of BIG-IP 12.1.x and 11.6.x, the original TLS protocol includes a weakness in the master secret negotiation that is mitigated by the Extended Master Secret (EMS) extension defined in RFC 7627. TLS connections that do not use EMS are vulnerable to man-in-the-middle attacks during renegotiation. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. En todas las versiones de BIG-IP 12.1.x y 11.6.x, el protocolo TLS original incluye una debilidad en la ... • https://support.f5.com/csp/article/K09121542 •
CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 0CVE-2020-27718
https://notcve.org/view.php?id=CVE-2020-27718
24 Dec 2020 — When a BIG-IP ASM or Advanced WAF system running version 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, or 11.6.1-11.6.5.2 processes requests with JSON payload, an unusually large number of parameters can cause excessive CPU usage in the BIG-IP ASM bd process. Cuando un sistema BIG-IP ASM o Advanced WAF ejecutándose en las versiones 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.3, 13.1.0-13.1.3.4, 12.1.0-12.1. 5.2, o 11.6.1-11.6.5.2, procesa peticiones con carga útil JSON... • https://support.f5.com/csp/article/K58102101 •