Last Modified: Oct 04, 2024
Affected Product(s):
BIG-IP APM
Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1
Opened: May 03, 2023 Severity: 2-Critical
When the user is using an Access profile of type Modern, the attacker can craft a malicious URL and send it to an authenticated user to launch an XSS attack.
APM is Vulnerable to XSS attack.
- APM is provisioned with a Modern framework. - Webtop enabled.
When CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_REQUEST { if {[HTTP::uri] starts_with "/vdesk/webtop.eui" && [HTTP::query] contains "%"} { HTTP::uri [HTTP::path] } }
None