Shodan
Vulnerabilities
Vulnerable Software
F5:  Security Vulnerabilities
CVE-2020-5905
In version 11.6.1-11.6.5.2 of the BIG-IP system Configuration utility Network > WCCP page, the system does not sanitize all user-provided data before display.
CVSS Score
4.3
EPSS Score
0.003
Published
2020-07-01
CVE-2020-5906
In versions 13.1.0-13.1.3.3, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, the BIG-IP system does not properly enforce the access controls for the scp.blacklist files. This allows Admin and Resource Admin users with Secure Copy (SCP) protocol access to read and overwrite blacklisted files via SCP.
CVSS Score
8.1
EPSS Score
0.001
Published
2020-07-01
CVE-2020-5907
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, an authorized user provided with access only to the TMOS Shell (tmsh) may be able to conduct arbitrary file read/writes via the built-in sftp functionality.
CVSS Score
7.2
EPSS Score
0.004
Published
2020-07-01
CVE-2020-5908
In versions bundled with BIG-IP APM 12.1.0-12.1.5 and 11.6.1-11.6.5.2, Edge Client for Linux exposes full session ID in the local log files.
CVSS Score
5.5
EPSS Score
0.001
Published
2020-07-01
CVE-2020-5900
In versions 3.0.0-3.4.0, 2.0.0-2.9.0, and 1.0.1, there is insufficient cross-site request forgery (CSRF) protections for the NGINX Controller user interface.
CVSS Score
8.8
EPSS Score
0.003
Published
2020-07-01
CVE-2020-5896
On versions 7.1.5-7.1.9, the BIG-IP Edge Client's Windows Installer Service's temporary folder has weak file and folder permissions.
CVSS Score
7.8
EPSS Score
0.001
Published
2020-05-12
CVE-2020-5897
In versions 7.1.5-7.1.9, there is use-after-free memory vulnerability in the BIG-IP Edge Client Windows ActiveX component.
CVSS Score
8.8
EPSS Score
0.009
Published
2020-05-12
CVE-2020-5898
In versions 7.1.5-7.1.9, BIG-IP Edge Client Windows Stonewall driver does not sanitize the pointer received from the userland. A local user on the Windows client system can send crafted DeviceIoControl requests to \\.\urvpndrv device causing the Windows kernel to crash.
CVSS Score
5.5
EPSS Score
0.001
Published
2020-05-12
CVE-2020-5894
On versions 3.0.0-3.3.0, the NGINX Controller webserver does not invalidate the server-side session token after users log out.
CVSS Score
8.1
EPSS Score
0.004
Published
2020-05-07
CVE-2020-5895
On NGINX Controller versions 3.1.0-3.3.0, AVRD uses world-readable and world-writable permissions on its socket, which allows processes or users on the local system to write arbitrary data into the socket. A local system attacker can make AVRD segmentation fault (SIGSEGV) by writing malformed messages to the socket.
CVSS Score
7.8
EPSS Score
0.001
Published
2020-05-07


Products
Pricing
Contact Us

Shodan ® - All rights reserved