CVE-2022-28707 HIGH

CVE-2022-28707

Vendor F5

Product BIG-IP

Weakness CWE-79 · XSS

Published May 5, 2022

Last update September 17, 2024

View on NVD All CVEs

CVSS base score

8.0/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, and 14.1.x versions prior to 14.1.4.6, a stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility (also referred to as the BIG-IP TMUI) that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Key dates

02Disclosure timeline

May 5, 2022 CVE published

September 17, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-28707 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

Identifiers

CVE CVE-2022-28707

CWE CWE-79

CVSS 8.0 / HIGH

Affected versions

Vendor F5

Product BIG-IP

Affected ≥ 16.1.x and < 16.1.2.2

Vendor F5

Product BIG-IP

Affected ≥ 15.1.x and < 15.1.5.1

Vendor F5

Product BIG-IP

Affected ≥ 14.1.x and < 14.1.4.6

CVE-2022-28707

01Description

02Disclosure timeline

03References

04Related CVE