CVSS: 9.0EPSS: 49%CPEs: 100EXPL: 1CVE-2023-46748 – F5 BIG-IP Configuration Utility SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2023-46748
26 Oct 2023 — An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility which may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated Existe una vulnerabilidad de inyección SQL autenticada en la utilidad de configuración BIG-IP que puede permitir que un atacante autenticado c... • https://my.f5.com/manage/s/article/K000137365 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 94%CPEs: 100EXPL: 12CVE-2023-46747 – F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2023-46747
26 Oct 2023 — Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated Las solicitudes no divulgadas pueden omitir la autenticación de la utilidad de configuración, lo que permite a un atacante con acceso de red al sistema BIG-IP a través del puerto de administración... • https://packetstorm.news/files/id/177444 • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-306: Missing Authentication for Critical Function •
CVSS: 9.9EPSS: 13%CPEs: 90EXPL: 0CVE-2023-41373 – BIG-IP Configuration Utility vulnerability
https://notcve.org/view.php?id=CVE-2023-41373
10 Oct 2023 — A directory traversal vulnerability exists in the BIG-IP Configuration Utility that may allow an authenticated attacker to execute commands on the BIG-IP system. For BIG-IP system running in Appliance mode, a successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Existe una vulnerabilidad de directory traversal en la utilidad de configuración BIG-IP que puede permitir que un atacante autenticado ej... • https://my.f5.com/manage/s/article/K000135689 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 39EXPL: 0CVE-2023-40534 – BIG-IP HTTP/2 vulnerability
https://notcve.org/view.php?id=CVE-2023-40534
10 Oct 2023 — When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Cuando un perfil HTTP/2 del lado del cliente y la opción HTTP MRF Router están habilitadas para un servidor virtual, y una iRule que utiliza el evento HTTP_REQUEST ... • https://my.f5.com/manage/s/article/K000133467 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.8EPSS: 94%CPEs: 444EXPL: 17CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
10 Oct 2023 — The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. ... • https://github.com/imabee101/CVE-2023-44487 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.3EPSS: 0%CPEs: 95EXPL: 0CVE-2023-28406 – BIG-IP Configuration utility vulnerability
https://notcve.org/view.php?id=CVE-2023-28406
03 May 2023 — A directory traversal vulnerability exists in an undisclosed page of the BIG-IP Configuration utility which may allow an authenticated attacker to read files with .xml extension. Access to restricted information is limited and the attacker does not control what information is obtained. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000132768 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 95EXPL: 0CVE-2023-27378 – BIG-IP TMUI XSS vulnerability
https://notcve.org/view.php?id=CVE-2023-27378
03 May 2023 — Multiple reflected cross-site scripting (XSS) vulnerabilities exist in undisclosed pages of the BIG-IP Configuration utility which allow an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000132726 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 2%CPEs: 60EXPL: 2CVE-2002-20001
https://notcve.org/view.php?id=CVE-2002-20001
11 Nov 2021 — The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)at or D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it c... • https://github.com/c0r0n3r/dheater • CWE-400: Uncontrolled Resource Consumption •