Reflected Cross-Site Scripting in F5 BIG-IP

SEC Consult Vulnerability Lab Security Advisory < 20140828-0 >


title: Reflected Cross-Site Scripting

product: F5 BIG-IP

vulnerable version: <= 11.5.1

fixed version: > 11.6.0

impact: Medium

CVE number: CVE-2014-4023


found: 2014-07-07

by: Stefan Viehböck

SEC Consult Vulnerability Lab


Vendor/product description:


"The BIG-IP product suite is a system of application delivery services that

work together on the same best-in-class hardware platform or software virtual

instance. From load balancing and service offloading to acceleration and

security, the BIG-IP system delivers agility—and ensures your applications

are fast, secure, and available."



Vulnerability overview/description:


BIG-IP suffers from a reflected Cross-Site Scripting vulnerability,

which allow an attacker to steal other users sessions, to impersonate other

users and to gain unauthorized access to the admin interface.


Proof of concept:


The following HTTP request triggers the vulnerability:

POST /tmui/dashboard/echo.jsp HTTP/1.1
Cookie: BIGIPAuthCookie=*VALID_COOKIE*
Content-Length: 29


The server does not properly encode user supplied information and returns it

to the user resulting in Cross-Site Scripting.


Vulnerable / tested versions:


More information can be found at:


Vendor contact timeline:


2014-07-08: Sending advisory and proof of concept exploit via encrypted


2014-07-09: Vendor confirms receipt of advisory. States that fix will be

released in the "next 6 weeks or so"

2014-07-24: Vendor provides CVE: CVE-2014-4023

2014-08-26: Vendor releases fixed version.

2014-08-28: SEC Consult releases a coordinated security advisory.




Update to the newest version.

More information can be found at:




No workaround available.


Advisory URL:




SEC Consult Vulnerability Lab

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius


Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

Mail: research at sec-consult dot com




Interested in working with the experts of SEC Consult?

Write to

EOF Stefan Viehböck / @2014