SB2024101653 - Multiple vulnerabilities in BIG-IP Configuration utility (angular) 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024101653

SB2024101653 - Multiple vulnerabilities in BIG-IP Configuration utility (angular)

Published: October 16, 2024

Security Bulletin ID SB2024101653
Severity
Medium
Patch available
NO
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Prototype pollution (CVE-ID: CVE-2019-10768)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the merge() function. A remote attacker can trick the victim to follow a adding or modifying properties of `Object.prototype` using a `__proto__` payload and execute arbitrary script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


2) Inefficient regular expression complexity (CVE-ID: CVE-2023-26116)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


3) Inefficient regular expression complexity (CVE-ID: CVE-2023-26117)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input passed via the $resource service. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


4) Inefficient regular expression complexity (CVE-ID: CVE-2023-26118)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions in the input[url] functionality. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References