CVE-2008-2637

Name of the Vulnerable Software and Affected Versions F5 FirePass SSL VPN versions prior to 6.0.2 hotfix 3

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via quotes in the css exceptions parameter in "vdesk/admincon/webyfiers.php" and the sql matchscope parameter in "vdesk/admincon/index.php".

Recommendations For F5 FirePass SSL VPN versions prior to 6.0.2 hotfix 3, consider disabling access to the vulnerable API endpoints "vdesk/admincon/webyfiers.php" and "vdesk/admincon/index.php" until a patch is available. Restrict the use of the css exceptions and sql matchscope parameters to minimize the risk of exploitation.