CVE-2016-7469

Name of the Vulnerable Software and Affected Versions F5 BIG-IP versions 11.2.1, 11.4.0 through 11.6.1, 12.0.0 through 12.1.2

Description A stored cross-site scripting (XSS) issue exists in the Configuration utility device name change page. This allows an authenticated user with Resource Administrator or Administrator privileges to inject arbitrary web script or HTML, potentially causing the Configuration utility client to become unstable.

Recommendations For versions 11.2.1, 11.4.0 through 11.6.1, and 12.0.0 through 12.1.2, consider restricting access to the Configuration utility device name change page until a fix is available. As a temporary workaround, limit the privileges of users to prevent exploitation, ensuring only necessary personnel have Resource Administrator or Administrator privileges. Avoid using the Configuration utility device name change page with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.