CVE-2019-6639

Name of the Vulnerable Software and Affected Versions BIG-IP (AFM, PEM) versions 11.5.1 through 11.5.8 BIG-IP (AFM, PEM) versions 11.6.1 through 11.6.3.4 BIG-IP (AFM, PEM) versions 12.1.0 through 12.1.4 BIG-IP (AFM, PEM) versions 13.0.0 through 13.1.1.4 BIG-IP (AFM, PEM) versions 14.0.0 through 14.0.0.4 BIG-IP (AFM, PEM) versions 14.1.0 through 14.1.0.5

Description The issue is related to stored cross-site scripting (XSS) in undisclosed TMUI pages for AFM and PEM Subscriber management. This is a control plane issue only, not accessible from the data plane, and requires a malicious resource administrator to store the XSS.

Recommendations For versions 11.5.1 through 11.5.8, update to a version outside of this range to mitigate the risk. For versions 11.6.1 through 11.6.3.4, update to a version outside of this range to mitigate the risk. For versions 12.1.0 through 12.1.4, update to a version outside of this range to mitigate the risk. For versions 13.0.0 through 13.1.1.4, update to a version outside of this range to mitigate the risk. For versions 14.0.0 through 14.0.0.4, update to a version outside of this range to mitigate the risk. For versions 14.1.0 through 14.1.0.5, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the affected TMUI pages for AFM and PEM Subscriber management until a patch is available.