F5 BIG-IP Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the BIG-IP Configuration utility, affecting versions 15.1.0 through 15.1.10, 16.1.0 through 16.1.5, and 17.1.0 through 17.1.1. This vulnerability allows an attacker to execute JavaScript in the context of the currently logged-in user. The issue arises from an incomplete fix for a previous vulnerability, CVE-2024-31156.

Impact

Exploitation of this vulnerability allows an authenticated attacker to inject and execute malicious JavaScript in the context of the affected user. If the user has administrative privileges and access to the Advanced Shell (bash), this could lead to a complete compromise of the BIG-IP system.

Remediation

Users can upgrade to BIG-IP versions 15.1.10.6, 16.1.5.2, or 17.1.2 to address this vulnerability. For more information about managing BIG-IP product hotfixes, refer to the F5 article K13123.