CVE-2022-28716

moderate-risk

Published 2022-05-05

On 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x 11.6.x, a DOM-based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP AFM, CGNAT, and PEM Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Do I need to act?

1.2% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / HIGH complexity

Affected Products (3)

Big-Ip Advanced Firewall Manager

Big-Ip Carrier-Grade Nat

Big-Ip Policy Enforcement Manager

Affected Vendors

References (2)

Mitigation https://support.f5.com/csp/article/K25451853

/ 100

moderate-risk

Severity 22/34 · High

Exploitability 4/34 · Minimal

Exposure 9/34 · Low