F5 BIG-IP Configuration Utility XSS Vulnerability Advisory (CVE-2020-59269)

Critical Vulnerability Information Vulnerability Overview Vulnerability ID: K000151308 CVE ID: CVE-2020-59269 Vulnerability Type: XSS (Cross-Site Scripting) Affected Product: BIG-IP Configuration utility Impact Description Security Risk: Attackers can inject JavaScript code into unauthorized views of the BIG-IP Configuration utility, enabling execution of JavaScript in the context of the currently logged-in user. Severity: Medium Affected Versions BIG-IP Versions: - 14.x: 14.1.0-14.1.2.5, 14.0.0-14.0.0.7 - 13.x: 13.1.0-13.1.3.4, 13.0.0-13.0.0.5 - 12.x: 12.1.0-12.1.5.1, 12.0.0-12.0.0.6 - 11.x: 11.6.1-11.6.5.1 Solutions and Mitigation Measures Fixed Versions: - 14.x: 14.1.2.6, 14.0.0.8 - 13.x: 13.1.3.5, 13.0.0.6 - 12.x: 12.1.5.2, 12.0.0.7 - 11.x: 11.6.5.2 Temporary Mitigation Measures: - Disable access to the Configuration utility interface (IPv4 address: 127.0.0.1) - Use HTTPS policies to restrict access to the BIG-IP system - Use K12725646 to restrict access to the TMSH management interface, using remote/forward rules Additional Information Related Content: - K1525028: Overview of F5 Secure Communications - K1525029: Understanding Security Alerts and Notifications - K1525030: Frequently Asked Questions about Security Alerts - K1525031: Overview of F5 Security Policy - K1525032: How to Report and Resolve Vulnerabilities - K1525033: Subscribe to Email Notifications for F5 Product and Security Announcements - K1525034: Create a Customer ID to Download New Important Documents - K1525035: Contact F5 Support - K00099350: Security Alert K00099350: F5W is Generally Affected by CVE-2021-20855 - K00099351: Security Alert K00099351: Generally Affected by CVE-2021-20856

Goal Reached Thanks to every supporter — we hit 100%!

F5 BIG-IP Configuration Utility XSS Vulnerability Advisory (CVE-2020-59269)