CVE-2019-6600

Name of the Vulnerable Software and Affected Versions F5 BIG-IP versions 11.5.1 through 11.5.8 F5 BIG-IP versions 11.6.1 through 11.6.3.2 F5 BIG-IP versions 12.1.0 through 12.1.3.7 F5 BIG-IP versions 13.0.0 through 13.1.1.3 F5 BIG-IP versions 14.0.0 through 14.0.0.2

Description When remote authentication is enabled for administrative users and all external users are granted the "guest" role, unsanitized values can be reflected to the client via the login page. This can lead to a cross-site scripting attack against unauthenticated clients.

Recommendations For F5 BIG-IP versions 11.5.1 through 11.5.8, update to a version that sanitizes user input to prevent cross-site scripting attacks. For F5 BIG-IP versions 11.6.1 through 11.6.3.2, update to a version that sanitizes user input to prevent cross-site scripting attacks. For F5 BIG-IP versions 12.1.0 through 12.1.3.7, update to a version that sanitizes user input to prevent cross-site scripting attacks. For F5 BIG-IP versions 13.0.0 through 13.1.1.3, update to a version that sanitizes user input to prevent cross-site scripting attacks. For F5 BIG-IP versions 14.0.0 through 14.0.0.2, update to a version that sanitizes user input to prevent cross-site scripting attacks. As a temporary workaround, consider restricting access to the login page for unauthenticated clients until a patch is available.