CVE-2016-9257

Summary

In F5 BIG-IP APM 12.0.0 through 12.1.2, non-authenticated users may be able to inject JavaScript into a request that will then be rendered and executed in the context of the Administrative user when the Administrative user is viewing the Access System Logs, allowing the non-authenticated user to carry out a Cross Site Scripting (XSS) attack against the Administrative user.

Affected Software

VendorProductVersion RangeStatus
F5 Networks, Inc.BIG-IP APM12.0.0 through 12.1.2affected

Weaknesses

  • Non-authenticated XSS attack against Administrative interface via public interface

ADP Enrichment

CVE Program Container

Additional References

References