CVE-2020-5915 : In BIG-IP versions 15.1.0-15.1.0.4, 15.0.0-15.0.1.3, 14.1.0-14.1.2.3, 13.1.0-13.

In BIG-IP versions 15.1.0-15.1.0.4, 15.0.0-15.0.1.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, an undisclosed TMUI page contains a vulnerability which allows a stored XSS when BIG-IP systems are setup in a device trust.

Published 2020-08-26 15:15:13

Updated 2020-08-31 13:40:21

Source F5 Networks

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2020-5915

F5 » Big-ip Local Traffic Manager
Versions from including (>=) 12.1.0 and before (<) 12.1.5.2
cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Local Traffic Manager
Versions from including (>=) 13.1.0 and before (<) 13.1.3.4
cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Local Traffic Manager
Versions from including (>=) 15.0.0 and before (<) 15.0.1.4
cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Local Traffic Manager
Versions from including (>=) 11.6.1 and before (<) 11.6.5.2
cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Local Traffic Manager
Versions from including (>=) 14.1.0 and before (<) 14.1.2.5
cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Local Traffic Manager
Versions from including (>=) 15.1.0 and before (<) 15.1.0.5
cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Global Traffic Manager
Versions from including (>=) 14.1.0 and before (<) 14.1.2.5
cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Global Traffic Manager
Versions from including (>=) 15.1.0 and before (<) 15.1.0.5
cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Global Traffic Manager
Versions from including (>=) 11.6.1 and before (<) 11.6.5.2
cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Global Traffic Manager
Versions from including (>=) 15.0.0 and before (<) 15.0.1.4
cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Global Traffic Manager
Versions from including (>=) 12.1.0 and before (<) 12.1.5.2
cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Global Traffic Manager
Versions from including (>=) 13.1.0 and before (<) 13.1.3.4
cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Application Security Manager
Versions from including (>=) 13.1.0 and before (<) 13.1.3.4
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Application Security Manager
Versions from including (>=) 12.1.0 and before (<) 12.1.5.2
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Application Security Manager
Versions from including (>=) 11.6.1 and before (<) 11.6.5.2
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Application Security Manager
Versions from including (>=) 14.1.0 and before (<) 14.1.2.5
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Application Security Manager
Versions from including (>=) 15.0.0 and before (<) 15.0.1.4
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Application Security Manager
Versions from including (>=) 15.1.0 and before (<) 15.1.0.5
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Access Policy Manager
Versions from including (>=) 15.0.0 and before (<) 15.0.1.4
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Access Policy Manager
Versions from including (>=) 15.1.0 and before (<) 15.1.0.5
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Access Policy Manager
Versions from including (>=) 11.6.1 and before (<) 11.6.5.2
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Access Policy Manager
Versions from including (>=) 14.1.0 and before (<) 14.1.2.5
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Access Policy Manager
Versions from including (>=) 12.1.0 and before (<) 12.1.5.2
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Access Policy Manager
Versions from including (>=) 13.1.0 and before (<) 13.1.3.4
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Webaccelerator
Versions from including (>=) 14.0.0 and before (<) 14.1.2.4
cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Webaccelerator
Versions from including (>=) 12.1.0 and before (<) 12.1.5.2
cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Webaccelerator
Versions from including (>=) 15.0.0 and before (<) 15.0.1.4
cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Webaccelerator
Versions from including (>=) 11.5.2 and before (<) 11.6.5.2
cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Webaccelerator
Versions from including (>=) 15.1.0 and before (<) 15.1.0.5
cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Webaccelerator
Versions from including (>=) 13.1.0 and before (<) 13.1.3.4
cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Edge Gateway
Versions from including (>=) 12.1.0 and before (<) 12.1.5.2
cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Edge Gateway
Versions from including (>=) 15.0.0 and before (<) 15.0.1.4
cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Edge Gateway
Versions from including (>=) 15.1.0 and before (<) 15.1.0.5
cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Edge Gateway
Versions from including (>=) 13.1.0 and before (<) 13.1.3.4
cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Edge Gateway
Versions from including (>=) 11.5.2 and before (<) 11.6.5.2
cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Edge Gateway
Versions from including (>=) 14.0.0 and before (<) 14.1.2.4
cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Link Controller
Versions from including (>=) 15.0.0 and before (<) 15.0.1.4
cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Link Controller
Versions from including (>=) 13.1.0 and before (<) 13.1.3.4
cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Link Controller
Versions from including (>=) 11.6.1 and before (<) 11.6.5.2
cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Link Controller
Versions from including (>=) 12.1.0 and before (<) 12.1.5.2
cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Link Controller
Versions from including (>=) 15.1.0 and before (<) 15.1.0.5
cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Link Controller
Versions from including (>=) 14.1.0 and before (<) 14.1.2.5
cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Analytics
Versions from including (>=) 12.1.0 and before (<) 12.1.5.2
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Analytics
Versions from including (>=) 15.0.0 and before (<) 15.0.1.4
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Analytics
Versions from including (>=) 15.1.0 and before (<) 15.1.0.5
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Analytics
Versions from including (>=) 14.1.0 and before (<) 14.1.2.5
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Analytics
Versions from including (>=) 11.6.1 and before (<) 11.6.5.2
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Analytics
Versions from including (>=) 13.1.0 and before (<) 13.1.3.4
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Application Acceleration Manager
Versions from including (>=) 15.1.0 and before (<) 15.1.0.5
cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Application Acceleration Manager
Versions from including (>=) 14.1.0 and before (<) 14.1.2.5
cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Application Acceleration Manager
Versions from including (>=) 15.0.0 and before (<) 15.0.1.4
cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Application Acceleration Manager
Versions from including (>=) 12.1.0 and before (<) 12.1.5.2
cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Application Acceleration Manager
Versions from including (>=) 11.6.1 and before (<) 11.6.5.2
cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Application Acceleration Manager
Versions from including (>=) 13.1.0 and before (<) 13.1.3.4
cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Advanced Firewall Manager
Versions from including (>=) 15.1.0 and before (<) 15.1.0.5
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Advanced Firewall Manager
Versions from including (>=) 11.6.1 and before (<) 11.6.5.2
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Advanced Firewall Manager
Versions from including (>=) 14.1.0 and before (<) 14.1.2.5
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Advanced Firewall Manager
Versions from including (>=) 12.1.0 and before (<) 12.1.5.2
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Advanced Firewall Manager
Versions from including (>=) 13.1.0 and before (<) 13.1.3.4
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Advanced Firewall Manager
Versions from including (>=) 15.0.0 and before (<) 15.0.1.4
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Policy Enforcement Manager
Versions from including (>=) 14.1.0 and before (<) 14.1.2.5
cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Policy Enforcement Manager
Versions from including (>=) 11.6.1 and before (<) 11.6.5.2
cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Policy Enforcement Manager
Versions from including (>=) 13.1.0 and before (<) 13.1.3.4
cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Policy Enforcement Manager
Versions from including (>=) 15.1.0 and before (<) 15.1.0.5
cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Policy Enforcement Manager
Versions from including (>=) 15.0.0 and before (<) 15.0.1.4
cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Policy Enforcement Manager
Versions from including (>=) 12.1.0 and before (<) 12.1.5.2
cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Domain Name System
Versions from including (>=) 13.1.0 and before (<) 13.1.3.4
cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Domain Name System
Versions from including (>=) 12.1.0 and before (<) 12.1.5.2
cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Domain Name System
Versions from including (>=) 15.1.0 and before (<) 15.1.0.5
cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Domain Name System
Versions from including (>=) 14.1.0 and before (<) 14.1.2.5
cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Domain Name System
Versions from including (>=) 11.6.1 and before (<) 11.6.5.2
cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Domain Name System
Versions from including (>=) 15.0.0 and before (<) 15.0.1.4
cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Fraud Protection Service
Versions from including (>=) 13.1.0 and before (<) 13.1.3.4
cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Fraud Protection Service
Versions from including (>=) 14.1.0 and before (<) 14.1.2.5
cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Fraud Protection Service
Versions from including (>=) 15.0.0 and before (<) 15.0.1.4
cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Fraud Protection Service
Versions from including (>=) 11.6.1 and before (<) 11.6.5.2
cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Fraud Protection Service
Versions from including (>=) 12.1.0 and before (<) 12.1.5.2
cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Fraud Protection Service
Versions from including (>=) 15.1.0 and before (<) 15.1.0.5
cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-5915

EPSS FAQ

0.08%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 33 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-5915

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2020-5915

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-5915

https://support.f5.com/csp/article/K57214921

Article: K57214921 - BIG-IP TMUI XSS vulnerability CVE-2020-5915
Vendor Advisory

Jump to

Vulnerability Details : CVE-2020-5915

Products affected by CVE-2020-5915

Exploit prediction scoring system (EPSS) score for CVE-2020-5915

CVSS scores for CVE-2020-5915

CWE ids for CVE-2020-5915

References for CVE-2020-5915