Vulnerability Details : CVE-2019-6600
In BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.3, 12.1.0-12.1.3.7, 11.6.1-11.6.3.2, or 11.5.1-11.5.8, when remote authentication is enabled for administrative users and all external users are granted the "guest" role, unsanitized values can be reflected to the client via the login page. This can lead to a cross-site scripting attack against unauthenticated clients.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2019-6600
- F5 » Big-ip Local Traffic ManagerVersions from including (>=) 11.5.1 and up to, including, (<=) 11.5.8cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Local Traffic ManagerVersions from including (>=) 12.1.0 and up to, including, (<=) 12.1.3.7cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Local Traffic ManagerVersions from including (>=) 13.0.0 and up to, including, (<=) 13.1.1.3cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Local Traffic ManagerVersions from including (>=) 14.0.0 and up to, including, (<=) 14.0.0.2cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Local Traffic ManagerVersions from including (>=) 11.6.1 and up to, including, (<=) 11.6.3.2cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Global Traffic ManagerVersions from including (>=) 14.0.0 and up to, including, (<=) 14.0.0.2cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Global Traffic ManagerVersions from including (>=) 11.6.1 and up to, including, (<=) 11.6.3.2cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Global Traffic ManagerVersions from including (>=) 12.1.0 and up to, including, (<=) 12.1.3.7cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Global Traffic ManagerVersions from including (>=) 13.0.0 and up to, including, (<=) 13.1.1.3cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Global Traffic ManagerVersions from including (>=) 11.5.1 and up to, including, (<=) 11.5.8cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Security ManagerVersions from including (>=) 13.0.0 and up to, including, (<=) 13.1.1.3cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Security ManagerVersions from including (>=) 12.1.0 and up to, including, (<=) 12.1.3.7cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Security ManagerVersions from including (>=) 11.5.1 and up to, including, (<=) 11.5.8cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Security ManagerVersions from including (>=) 11.6.1 and up to, including, (<=) 11.6.3.2cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Security ManagerVersions from including (>=) 14.0.0 and up to, including, (<=) 14.0.0.2cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Access Policy ManagerVersions from including (>=) 14.0.0 and up to, including, (<=) 14.0.0.2cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Access Policy ManagerVersions from including (>=) 11.5.1 and up to, including, (<=) 11.5.8cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Access Policy ManagerVersions from including (>=) 11.6.1 and up to, including, (<=) 11.6.3.2cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Access Policy ManagerVersions from including (>=) 12.1.0 and up to, including, (<=) 12.1.3.7cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Access Policy ManagerVersions from including (>=) 13.0.0 and up to, including, (<=) 13.1.1.3cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Acceleration ManagerVersions from including (>=) 11.6.1 and up to, including, (<=) 11.6.3.2cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Acceleration ManagerVersions from including (>=) 13.0.0 and up to, including, (<=) 13.1.1.3cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Acceleration ManagerVersions from including (>=) 14.0.0 and up to, including, (<=) 14.0.0.2cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Acceleration ManagerVersions from including (>=) 12.1.0 and up to, including, (<=) 12.1.3.7cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Acceleration ManagerVersions from including (>=) 11.5.1 and up to, including, (<=) 11.5.8cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Advanced Firewall ManagerVersions from including (>=) 11.5.1 and up to, including, (<=) 11.5.8cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Advanced Firewall ManagerVersions from including (>=) 11.6.1 and up to, including, (<=) 11.6.3.2cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Advanced Firewall ManagerVersions from including (>=) 13.0.0 and up to, including, (<=) 13.1.1.3cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Advanced Firewall ManagerVersions from including (>=) 12.1.0 and up to, including, (<=) 12.1.3.7cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Advanced Firewall ManagerVersions from including (>=) 14.0.0 and up to, including, (<=) 14.0.0.2cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Policy Enforcement ManagerVersions from including (>=) 14.0.0 and up to, including, (<=) 14.0.0.2cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Policy Enforcement ManagerVersions from including (>=) 11.5.1 and up to, including, (<=) 11.5.8cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Policy Enforcement ManagerVersions from including (>=) 11.6.1 and up to, including, (<=) 11.6.3.2cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Policy Enforcement ManagerVersions from including (>=) 12.1.0 and up to, including, (<=) 12.1.3.7cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Policy Enforcement ManagerVersions from including (>=) 13.0.0 and up to, including, (<=) 13.1.1.3cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Domain Name SystemVersions from including (>=) 14.0.0 and up to, including, (<=) 14.0.0.2cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
- F5 » Big-ip Domain Name SystemVersions from including (>=) 11.5.1 and up to, including, (<=) 11.5.8cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
- F5 » Big-ip Domain Name SystemVersions from including (>=) 11.6.1 and up to, including, (<=) 11.6.3.2cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
- F5 » Big-ip Domain Name SystemVersions from including (>=) 13.0.0 and up to, including, (<=) 13.1.1.3cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
- F5 » Big-ip Domain Name SystemVersions from including (>=) 12.1.0 and up to, including, (<=) 12.1.3.7cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
- F5 » Big-ip Fraud Protection ServiceVersions from including (>=) 13.0.0 and up to, including, (<=) 13.1.1.3cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
- F5 » Big-ip Fraud Protection ServiceVersions from including (>=) 14.0.0 and up to, including, (<=) 14.0.0.2cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
- F5 » Big-ip Fraud Protection ServiceVersions from including (>=) 11.5.1 and up to, including, (<=) 11.5.8cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
- F5 » Big-ip Fraud Protection ServiceVersions from including (>=) 12.1.0 and up to, including, (<=) 12.1.3.7cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
- F5 » Big-ip Fraud Protection ServiceVersions from including (>=) 11.6.1 and up to, including, (<=) 11.6.3.2cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-6600
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 38 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-6600
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2019-6600
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-6600
-
https://support.f5.com/csp/article/K23734425
Vendor Advisory
-
http://www.securityfocus.com/bid/107470
Multiple F5 BIG-IP Products CVE-2019-6600 Cross Site Scripting VulnerabilityBroken Link;Third Party Advisory;VDB Entry
Jump to