F5 BIG-IP Stored Cross-Site Scripting Vulnerability in Configuration Utility

A stored cross-site scripting vulnerability has been identified in the BIG-IP Configuration utility, specifically in an undisclosed page. This vulnerability allows an authenticated attacker with at least the manager role to inject and execute JavaScript in the context of the currently logged-in user. If the victim is an administrative user with access to the Advanced Shell (bash), this could lead to a compromise of the BIG-IP system.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the affected user. In the case of an administrative user with bash access, this could result in a complete compromise of the BIG-IP system.

Remediation

Users can upgrade to BIG-IP versions 17.5.1, 17.1.3, 16.1.6.1, or 15.1.10.8 to address this vulnerability. For more information about managing BIG-IP product hotfixes, refer to the F5 article K13123.