CVSS: 4.3EPSS: 0%CPEs: 95EXPL: 0CVE-2023-28406 – BIG-IP Configuration utility vulnerability
https://notcve.org/view.php?id=CVE-2023-28406
A directory traversal vulnerability exists in an undisclosed page of the BIG-IP Configuration utility which may allow an authenticated attacker to read files with .xml extension. Access to restricted information is limited and the attacker does not control what information is obtained. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000132768 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 95EXPL: 0CVE-2023-27378 – BIG-IP TMUI XSS vulnerability
https://notcve.org/view.php?id=CVE-2023-27378
Multiple reflected cross-site scripting (XSS) vulnerabilities exist in undisclosed pages of the BIG-IP Configuration utility which allow an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000132726 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 58EXPL: 0CVE-2023-24594 – BIG-IP TMM SSL vulnerability
https://notcve.org/view.php?id=CVE-2023-24594
When an SSL profile is configured on a Virtual Server, undisclosed traffic can cause an increase in CPU or SSL accelerator resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000133132 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.7EPSS: 0%CPEs: 51EXPL: 1CVE-2022-41800 – Appliance mode iControl REST vulnerability
https://notcve.org/view.php?id=CVE-2022-41800
In all versions of BIG-IP, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. En todas las versiones de BIG-IP, cuando se ejecuta en modo Dispositivo, un usuario autenticado al que se le haya asignado la función de Administrador puede evitar las restricciones del modo Dispositivo, utilizando un endpoint REST de iControl no revelado. Una explotación exitosa puede permitir al atacante cruzar un límite de seguridad. • https://support.f5.com/csp/article/K13325942 https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures https://support.f5.com/csp/article/K97843387 https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800.rb • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.8EPSS: 47%CPEs: 57EXPL: 1CVE-2022-41622 – iControl SOAP vulnerability
https://notcve.org/view.php?id=CVE-2022-41622
In all versions, BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. En todas las versiones, BIG-IP y BIG-IQ son vulnerables a ataques de Cross-Site Request Forgery (CSRF) a través de iControl SOAP. Nota: Las versiones de software que han llegado al final del soporte técnico (EoTS) no se evalúan. • https://support.f5.com/csp/article/K94221585 https://github.com/rbowes-r7/refreshing-soap-exploit https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures https://support.f5.com/csp/article/K97843387 https://support.f5.com/csp/article/K05403841 https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622.rb • CWE-352: Cross-Site Request Forgery (CSRF) •