CVE-2024-47139

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE-80)

Published: Oct 16, 2024 / Updated: 34d ago

010
CVSS 4.8EPSS 0.04%Medium
CVE info copied to clipboard

A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IQ Configuration utility that allows an attacker with the Administrator role to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

CVE Assignment

NVD published the first details for CVE-2024-47139

Oct 16, 2024 at 3:15 PM
CVSS

A CVSS base score of 6.8 has been assigned.

Oct 16, 2024 at 3:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-47139. See article

Oct 16, 2024 at 3:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 16, 2024 at 3:24 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 17, 2024 at 10:04 AM
Static CVE Timeline Graph

Affected Systems

F5/big-iq_centralized_management
+null more

Attack Patterns

CAPEC-18: XSS Targeting Non-Script Elements
+null more

News

F5 fixed a high-severity elevation of privilege vulnerability in BIG-IP
In the constantly changing world of cybersecurity, keeping abreast of vulnerabilities is essential for preserving the integrity of your systems. Recently, F5 has disclosed two significant vulnerabilities: CVE-2024-47139, related to BIG-IQ and CVE-2024-45844 affecting BIG-IP. This blog post will go into the details of these vulnerabilities, their potential impact, and how organizations can assess their […] The post F5 fixed a high-severity elevation of privilege vulnerability in BIG-IP appeared first on SecPod Blog .
F5 fixes pair of product vulnerabilities
Attackers with at least "manager" privileges could leverage the BIG-IP vulnerability, tracked as CVE-2024-45844, to facilitate privilege escalation and systems compromise.
F5 Fixes Pair of Product Vulnerabilities - ChannelE2E
... OT Security · CRA News Service October 2, 2024. Dragos' acquisition of Network Perception will enable more robust OT security services. Privacy ...
F5 Patches High-Severity Vulnerabilities in BIG-IP and BIG-IQ Products
The advisory states, “This vulnerability may allow an authenticated attacker with Manager role privileges or greater, with access to the Configuration utility or TMOS Shell (tmsh), to elevate their privileges and compromise the BIG-IP system. The vulnerability CVE-2024-45844 allows an authenticated attacker, with Manager role privileges or more, to exploit it and elevate their privileges, thereby compromising the BIG-IP system.
F5 fixed a high-severity elevation of privilege vulnerability in BIG-IP
“This vulnerability may allow an authenticated attacker with Manager role privileges or greater, with access to the Configuration utility or TMOS Shell ( tmsh ), to elevate their privileges and compromise the BIG-IP system. To mitigate the issue, organizations should restrict access to the BIG-IP configuration utility and SSH to trusted networks or devices, and block access via self IP addresses.
See 20 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:High
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI