CVE-2020-5950 - Vulnerability Details

Vendors	Products
F5	Big-ip Advanced Firewall Manager

Link	Providers
https://support.f5.com/csp/article/K05204103
https://support.f5.com/csp/article/K42696541

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "BIG-IP", "vendor": "n/a", "versions": [{"status": "affected", "version": "14.1.0-14.1.2.6"}]}], "descriptions": [{"lang": "en", "value": "On BIG-IP 14.1.0-14.1.2.6, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the victim user is granted the admin role."}], "problemTypes": [{"descriptions": [{"description": "XSS", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-12-11T18:58:08", "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://support.f5.com/csp/article/K42696541"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "f5sirt@f5.com", "ID": "CVE-2020-5950", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "BIG-IP", "version": {"version_data": [{"version_value": "14.1.0-14.1.2.6"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "On BIG-IP 14.1.0-14.1.2.6, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the victim user is granted the admin role."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "XSS"}]}]}, "references": {"reference_data": [{"name": "https://support.f5.com/csp/article/K42696541", "refsource": "CONFIRM", "url": "https://support.f5.com/csp/article/K42696541"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:47:40.955Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.f5.com/csp/article/K42696541"}]}]}, "cveMetadata": {"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "assignerShortName": "f5", "cveId": "CVE-2020-5950", "datePublished": "2020-12-11T18:58:08", "dateReserved": "2020-01-06T00:00:00", "dateUpdated": "2024-08-04T08:47:40.955Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : BIG-IP (string)

vendor : n/a (string)

versions : [ »

0 : { »

status : affected (string)

version : 14.1.0-14.1.2.6 (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : On BIG-IP 14.1.0-14.1.2.6, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the victim user is granted the admin role. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

description : XSS (string)

lang : en (string)

type : text (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2020-12-11T18:58:08 (string)

orgId : 9dacffd4-cb11-413f-8451-fbbfd4ddc0ab (string)

shortName : f5 (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://support.f5.com/csp/article/K42696541 (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : f5sirt@f5.com (string)

ID : CVE-2020-5950 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : BIG-IP (string)

version : { »

version_data : [ »

0 : { »

version_value : 14.1.0-14.1.2.6 (string)

}

]

}

]

}

vendor_name : n/a (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : On BIG-IP 14.1.0-14.1.2.6, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the victim user is granted the admin role. (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : XSS (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://support.f5.com/csp/article/K42696541 (string)

refsource : CONFIRM (string)

url : https://support.f5.com/csp/article/K42696541 (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-04T08:47:40.955Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : https://support.f5.com/csp/article/K42696541 (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : 9dacffd4-cb11-413f-8451-fbbfd4ddc0ab (string)

assignerShortName : f5 (string)

cveId : CVE-2020-5950 (string)

datePublished : 2020-12-11T18:58:08 (string)

dateReserved : 2020-01-06T00:00:00 (string)

dateUpdated : 2024-08-04T08:47:40.955Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "45F9B579-F0F4-42DB-9F29-734278B3CEE8", "versionEndExcluding": "14.1.2.7", "versionStartIncluding": "14.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "On BIG-IP 14.1.0-14.1.2.6, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the victim user is granted the admin role."}, {"lang": "es", "value": "En BIG-IP versiones 14.1.0-14.1.2.6, los endpoints no divulgados en iControl REST, permiten un ataque de tipo XSS reflejado, lo que podr\u00eda conllevar a un compromiso completo del sistema BIG-IP si el usuario v\u00edctima se le concede el papel de administrador"}], "id": "CVE-2020-5950", "lastModified": "2024-11-21T05:34:53.450", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-12-11T19:15:13.433", "references": [{"source": "f5sirt@f5.com", "tags": ["Not Applicable"], "url": "https://support.f5.com/csp/article/K42696541"}, {"source": "nvd@nist.gov", "tags": ["Vendor Advisory"], "url": "https://support.f5.com/csp/article/K05204103"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Not Applicable"], "url": "https://support.f5.com/csp/article/K42696541"}], "sourceIdentifier": "f5sirt@f5.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 45F9B579-F0F4-42DB-9F29-734278B3CEE8 (string)

versionEndExcluding : 14.1.2.7 (string)

versionStartIncluding : 14.1.0 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : On BIG-IP 14.1.0-14.1.2.6, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the victim user is granted the admin role. (string)

}

1 : { »

lang : es (string)

value : En BIG-IP versiones 14.1.0-14.1.2.6, los endpoints no divulgados en iControl REST, permiten un ataque de tipo XSS reflejado, lo que podría conllevar a un compromiso completo del sistema BIG-IP si el usuario víctima se le concede el papel de administrador (string)

}

]

id : CVE-2020-5950 (string)

lastModified : 2024-11-21T05:34:53.450 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : LOW (string)

accessVector : NETWORK (string)

authentication : NONE (string)

availabilityImpact : PARTIAL (string)

baseScore : 5 (number)

confidentialityImpact : NONE (string)

integrityImpact : NONE (string)

vectorString : AV:N/AC:L/Au:N/C:N/I:N/A:P (string)

version : 2.0 (string)

}

exploitabilityScore : 10 (number)

impactScore : 2.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : LOW (string)

baseScore : 5.3 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : NONE (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (string)

version : 3.1 (string)

}

exploitabilityScore : 3.9 (number)

impactScore : 1.4 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2020-12-11T19:15:13.433 (string)

references : [ »

0 : { »

source : f5sirt@f5.com (string)

tags : [ »

0 : Not Applicable (string)

]

url : https://support.f5.com/csp/article/K42696541 (string)

}

1 : { »

source : nvd@nist.gov (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://support.f5.com/csp/article/K05204103 (string)

}

2 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Not Applicable (string)

]

url : https://support.f5.com/csp/article/K42696541 (string)

}

]

sourceIdentifier : f5sirt@f5.com (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-79 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object