[CLOSE] OSVDB ID : 61520 - Disclosed: 2010-01-05

Description:

F5 Data Manager contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'ViewSatReport.do' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the 'ext' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

[CLOSE] OSVDB ID : 46004 - Disclosed: 2008-06-05

Description:

F5 FirePass contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the '/vdesk/admincon/index.php' script not properly sanitizing user-supplied input to the 'sql_matchscope' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 46003 - Disclosed: 2008-06-05

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in F5 FirePass SSL VPN 6.0.2 hotfix 3, and possibly earlier versions, allow remote attackers to inject arbitrary web script or HTML via quotes in (1) the css_exceptions parameter in vdesk/admincon/webyfiers.php and (2) the sql_matchscope parameter in vdesk/admincon/index.php.

[CLOSE] OSVDB ID : 29779 - Disclosed: 2006-10-17

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in my.acctab.php3 in F5 Networks FirePass 1000 SSL VPN 5.5, and possibly earlier, allows remote attackers to inject arbitrary web script or HTML via the sid parameter.

[CLOSE] OSVDB ID : 46813 - Disclosed: 2008-07-03

Description:

(Description Provided by CVE) : The SNMP daemon in the F5 FirePass 1200 6.0.2 hotfix 3 allows remote attackers to cause a denial of service (daemon crash) by walking the hrSWInstalled OID branch in HOST-RESOURCES-MIB.

[CLOSE] OSVDB ID : 44611 - Disclosed: 2008-04-28

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in installControl.php3 in F5 FirePass 4100 SSL VPN 5.4.2-5.5.2 and 6.0-6.2 allows remote attackers to inject arbitrary web script or HTML via the query string. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

[CLOSE] OSVDB ID : 38980 - Disclosed: 2007-12-03

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in F5 FirePass 4100 SSL VPN 5.4.1 through 5.5.2 and 6.0 through 6.0.1, when pre-logon sequences are enabled, allow remote attackers to inject arbitrary web script or HTML via the query string to (1) my.activation.php3 and (2) my.logon.php3.

[CLOSE] OSVDB ID : 35246 - Disclosed: 2007-06-04

Description:

F5 Firepass 4100 contains a flaw that may allow a malicious user to execute arbitrary shell commands. The issue is triggered due to the 'username' variable in script 'my.activation.php3' does not properly verify user-supplied input. It is possible that the flaw may allow code execution under unspecified circumstances resulting in a loss of integrity.

[CLOSE] OSVDB ID : 38981 - Disclosed: 2007-11-30

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in F5 FirePass 4100 SSL VPN 5.4.1 through 5.5.2 and 6.0 through 6.0.1, when pre-logon sequences are enabled, allow remote attackers to inject arbitrary web script or HTML via the query string to (1) my.activation.php3 and (2) my.logon.php3.

[CLOSE] OSVDB ID : 24034 - Disclosed: 2006-03-21

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in my.support.php3 in F5 Firepass 4100 SSL VPN 5.4.2 allows remote attackers to inject arbitrary web script or HTML via the s parameter.

[CLOSE] OSVDB ID : 28207 - Disclosed: 2006-07-04

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in F5 Networks FirePass 4100 5.x allow remote attackers to inject arbitrary web script or HTML via unspecified "writable form fields and hidden fields," including "authentication frontends."

[CLOSE] OSVDB ID : 81501 - Disclosed: 2012-03-28

Description:

F5 FirePassF5 FirePass contains a flaw that may allow an attacker to gain access to unauthorized privileges. The issue is triggered by the program not requiring authentication to execute commands, allowing a local attacker to gain escalated.

[CLOSE] OSVDB ID : 32734 - Disclosed: 2007-01-05

Description:

FirePass contains a flaw that may allow a malicious user to bypass web filter restrictions. The issue is triggered when a user submits an IP address in a URL as a dotless, decimal value, which may allow to bypass any 'deny' statements that may have otherwise affected the IP address, resulting in a loss of integrity.

[CLOSE] OSVDB ID : 32739 - Disclosed: 2007-01-05

Description:

FirePass contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate values included in <FP_DO_NOT_TOUCH> tags upon submission to unspecified scripts. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 55040 - Disclosed: 2009-06-11

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in the login interface (my.logon.php3) in F5 FirePass SSL VPN 5.5 through 5.5.2 and 6.0 through 6.0.3 allows remote attackers to inject arbitrary web script or HTML via a base64-encoded xcho parameter.

[CLOSE] OSVDB ID : 39167 - Disclosed: 2007-01-05

Description:

(Description Provided by CVE) : F5 FirePass 5.4 through 5.5.2 and 6.0 allows remote attackers to access restricted URLs via (1) a trailing null byte, (2) multiple leading slashes, (3) Unicode encoding, (4) URL-encoded directory traversal or same-directory characters, or (5) upper case letters in the domain name.

[CLOSE] OSVDB ID : 86580 - Disclosed: 2012-09-04

Description:

F5 FirePass contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'refreshURL' parameter upon submission to the my.activation.cns.php3 script. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 32740 - Disclosed: 2007-01-05

Description:

FirePass contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'vhost' variable upon submission to the 'my.activation.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 32736 - Disclosed: 2007-01-05

Description:

F5 FirePass contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an invalid login attempt is made in the login page at 'my.activation.php'. If the username exists in the local LDAP user directory, a slightly different error message will be displayed than in the case of a non-existent username. This will enable an attacker to enumerate valid usernames, resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 80219 - Disclosed: 2012-03-14

Description:

F5 FirePass contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the my.activation.php3 script not properly sanitizing user-supplied input to the 'state' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 32737 - Disclosed: 2007-01-05

Description:

FirePass contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'xcho' variable upon submission to the 'my.logon.php3' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 63076 - Disclosed: 2010-03-17

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 66300 - Disclosed: 2010-07-14

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 88091 - Disclosed: 2012-12-04

Description:

F5 FirePass SSL VPN contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the CitrixAuth.php script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'sessionID' parameter. This directory traversal attack would allow the attacker to gain access to arbitrary files.

[CLOSE] OSVDB ID : 38665 - Disclosed: 2007-11-13

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in download_plugin.php3 in F5 Firepass 4100 SSL VPN 5.4 through 5.5.2 and 6.0 through 6.0.1 allows remote attackers to inject arbitrary web script or HTML via the backurl parameter.

[CLOSE] OSVDB ID : 86565 - Disclosed: 2012-10-20

Description:

F5 FirePass SSL VPN contains a flaw that allows a remote cross site redirection attack. This flaw exists because the application does not validate the 'refreshURL' parameter upon submission to the my.activation.cns.php3 script. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

[CLOSE] OSVDB ID : 32738 - Disclosed: 2007-01-05

Description:

FirePass contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the variables upon submission to an unspecified script, where it is processed by two JavaScript 'eval()' functions. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 66299 - Disclosed: 2010-07-14

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 86546 - Disclosed: 2012-06-11

Description:

F5 FirePass contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the program not properly sanitizing user-supplied input before using it in SQL queries. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 32742 - Disclosed: 2007-01-05

Description:

FirePass contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'ua' variable upon submission to the 'vdesk/admincon/index.php' script when the 'bro' action is used. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.