Home

Description

A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of BIG-IP APM that allows an attacker to run JavaScript in the context of the targeted logged-out user.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

PUBLISHED Reserved 2025-10-03 | Published 2025-10-15 | Updated 2025-10-16 | Assigner f5




MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
unknown

17.5.0 (custom) before 17.5.1.3
affected

17.1.0 (custom) before 17.1.3
affected

16.1.0 (custom) before 16.1.6.1
affected

15.1.0 (custom) before 15.1.10.8
affected

Credits

F5 finder

References

my.f5.com/manage/s/article/K000156596 vendor-advisory

cve.org (CVE-2025-61933)

nvd.nist.gov (CVE-2025-61933)

Download JSON