- 135/2024
- High
F5 has released security updates to address several vulnerabilities in multiple F5 products.
The addressed vulnerabilities could allow the authenticated remote attacker to perform denial of service attacks, conduct cross-site scripting attacks, manipulate data, view, add, modify, or delete information in the back-end database, obtain sensitive information, or bypass security restrictions on the affected system by sending a specially crafted request.
Sample of the addressed vulnerabilities:
1. F5 BIG-IP Cross-Site Scripting Vulnerability (CVE-2024-31156):
- CVSS: 8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Consequences: Cross-Site Scripting
2. F5 BIG-IP Next Central Manager SQL Injection Vulnerability (CVE-2024- 21793):
- CVSS: 7.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Obtain Information
3. F5 BIG-IP (AFM) Denial of Service Vulnerability (CVE-2024-25560):
- CVSS: 7.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Denial of Service
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.