CVE-2019-6636

Name of the Vulnerable Software and Affected Versions BIG-IP (AFM, ASM) versions 11.5.1 through 11.6.4 BIG-IP (AFM, ASM) versions 12.1.0 through 12.1.4 BIG-IP (AFM, ASM) versions 13.0.0 through 13.1.1.4 BIG-IP (AFM, ASM) versions 14.0.0 through 14.0.0.4 BIG-IP (AFM, ASM) versions 14.1.0 through 14.1.0.5

Description A stored cross-site scripting issue exists in the AFM feed list, potentially allowing an attacker to store a CSRF that results in code execution as the admin user. The attack can be performed by users with the roles of resource administrator and administrator.

Recommendations For BIG-IP (AFM, ASM) versions 11.5.1 through 11.6.4, consider disabling the AFM feed list functionality until a patch is available. For BIG-IP (AFM, ASM) versions 12.1.0 through 12.1.4, consider disabling the AFM feed list functionality until a patch is available. For BIG-IP (AFM, ASM) versions 13.0.0 through 13.1.1.4, consider disabling the AFM feed list functionality until a patch is available. For BIG-IP (AFM, ASM) versions 14.0.0 through 14.0.0.4, consider disabling the AFM feed list functionality until a patch is available. For BIG-IP (AFM, ASM) versions 14.1.0 through 14.1.0.5, consider disabling the AFM feed list functionality until a patch is available.