CVSS: 7.5EPSS: 0%CPEs: 26EXPL: 0CVE-2019-6602
https://notcve.org/view.php?id=CVE-2019-6602
28 Mar 2019 — In BIG-IP 11.5.1-11.5.8 and 11.6.1-11.6.3, the Configuration Utility login page may not follow best security practices when handling a malicious request. En BIG-IP, en sus versiones 11.5.1-11.5.8 y 11.6.1-11.6.3, la página de inicio de sesión "Configuration Utility" podría no cumplir con las mejores prácticas al gestionar una petición manipulada. • http://www.securityfocus.com/bid/107626 • CWE-203: Observable Discrepancy •
CVSS: 4.3EPSS: 0%CPEs: 66EXPL: 0CVE-2019-6598
https://notcve.org/view.php?id=CVE-2019-6598
13 Mar 2019 — In BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.0.7, 12.1.0-12.1.3.5, 11.6.1-11.6.3.2, or 11.5.1-11.5.8 or Enterprise Manager 3.1.1, malformed requests to the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, may lead to disruption of TMUI services. This attack requires an authenticated user with any role (other than the No Access role). The No Access user role cannot login and does not have the access level to perform the attack. En BIG-IP, 14.0.0-14.0.0.2, 13.0.0-13.1.... • https://support.f5.com/csp/article/K44603900 •
CVSS: 6.1EPSS: 0%CPEs: 65EXPL: 0CVE-2019-6600
https://notcve.org/view.php?id=CVE-2019-6600
13 Mar 2019 — In BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.3, 12.1.0-12.1.3.7, 11.6.1-11.6.3.2, or 11.5.1-11.5.8, when remote authentication is enabled for administrative users and all external users are granted the "guest" role, unsanitized values can be reflected to the client via the login page. This can lead to a cross-site scripting attack against unauthenticated clients. En BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.3, 12.1.0-12.1.3.7, 11.6.1-11.6.3.2, o 11.5.1-11.5.8, cuando la autenticación remota está habilitada para usu... • http://www.securityfocus.com/bid/107470 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 53EXPL: 0CVE-2019-6597
https://notcve.org/view.php?id=CVE-2019-6597
13 Mar 2019 — In BIG-IP 13.0.0-13.1.1.1, 12.1.0-12.1.3.7, 11.6.1-11.6.3.2, or 11.5.1-11.5.8 or Enterprise Manager 3.1.1, when authenticated administrative users run commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced. En BIG-IP, 13.0.0-13.1.1.1, 12.1.0-12.1.3.7, 11.6.1-11.6.3.2, o 11.5.1-11.5.8 o Enterprise Manager 3.1.1, cuando los usuarios administrativos autenticados ejecutan comandos en el TMUI (Traffic Ma... • https://support.f5.com/csp/article/K29280193 •
CVSS: 5.9EPSS: 0%CPEs: 91EXPL: 0CVE-2019-6594
https://notcve.org/view.php?id=CVE-2019-6594
26 Feb 2019 — On BIG-IP 11.5.1-11.6.3.2, 12.1.3.4-12.1.3.7, 13.0.0 HF1-13.1.1.1, and 14.0.0-14.0.0.2, Multi-Path TCP (MPTCP) does not protect against multiple zero length DATA_FINs in the reassembly queue, which can lead to an infinite loop in some circumstances. BIG-IP, en sus versiones 11.5.1-11.6.3.2, 12.1.3.4-12.1.3.7, 13.0.0 HF1-13.1.1.1 y 14.0.0-14.0.0.2, Multi-Path TCP (MPTCP), no protege contra manera correcta contra múltiples DATA_FIN de longitud cero en la cola de reensamblado, lo que podría conducir a un bucle... • https://support.f5.com/csp/article/K91026261 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 9.1EPSS: 0%CPEs: 13EXPL: 0CVE-2019-6592
https://notcve.org/view.php?id=CVE-2019-6592
26 Feb 2019 — On BIG-IP 14.1.0-14.1.0.1, TMM may restart and produce a core file when validating SSL certificates in client SSL or server SSL profiles. En BIG-IP 14.1.0-14.1.0.1, TMM puede reiniciarse y producir un archivo core durante la validación de certificados SSL en los perfiles SSL del cliente o del servidor. • http://www.securityfocus.com/bid/107176 • CWE-295: Improper Certificate Validation •
CVSS: 5.9EPSS: 0%CPEs: 39EXPL: 0CVE-2019-6593
https://notcve.org/view.php?id=CVE-2019-6593
26 Feb 2019 — On BIG-IP 11.5.1-11.5.4, 11.6.1, and 12.1.0, a virtual server configured with a Client SSL profile may be vulnerable to a chosen ciphertext attack against CBC ciphers. When exploited, this may result in plaintext recovery of encrypted messages through a man-in-the-middle (MITM) attack, despite the attacker not having gained access to the server's private key itself. (CVE-2019-6593 also known as Zombie POODLE and GOLDENDOODLE.) En BIG-IP 11.5.1-11.5.4, 11.6.1 y 12.1.0, un servidor virtual que está configurad... • https://support.f5.com/csp/article/K10065173 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 5.9EPSS: 1%CPEs: 180EXPL: 0CVE-2019-1559 – 0-byte record padding oracle
https://notcve.org/view.php?id=CVE-2019-1559
26 Feb 2019 — If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order ... • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html • CWE-203: Observable Discrepancy CWE-325: Missing Cryptographic Step •
CVSS: 7.8EPSS: 0%CPEs: 30EXPL: 1CVE-2019-9075 – Gentoo Linux Security Advisory 202107-24
https://notcve.org/view.php?id=CVE-2019-9075
24 Feb 2019 — An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is a heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap in archive64.c. Se ha descubierto un problema en la biblioteca Binary File Descriptor (BFD), también conocida como libbfd, tal y como se distribuye en GNU Binutils 2.32. Es un desbordamiento de búfer basado en memoria dinámica (heap) en _bfd_archive_64_bit_slurp_armap en archive64.c. USN-4336-1 fixed several vulnerabiliti... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00078.html • CWE-787: Out-of-bounds Write •
CVSS: 6.1EPSS: 1%CPEs: 56EXPL: 3CVE-2019-8331 – bootstrap: XSS in the tooltip or popover data-template attribute
https://notcve.org/view.php?id=CVE-2019-8331
20 Feb 2019 — In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. En Bootstrap, en versiones anteriores a la 3.4.1 y versiones 4.3.x anteriores a la 4.3.1, es posible Cross-Site Scripting (XSS) en los atributos de data-template tooltip o popover. A cross-site scripting vulnerability was discovered in bootstrap. If an attacker could control the data given to tooltip or popover, they could inject HTML or Javascript into the rendered page when tooltip or popov... • https://github.com/Thampakon/CVE-2019-8331 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •