CVE-2008-2637

F5 Firepass SSL VPN - XSS

Title source: rule

Description

Multiple cross-site scripting (XSS) vulnerabilities in F5 FirePass SSL VPN 6.0.2 hotfix 3, and possibly earlier versions, allow remote attackers to inject arbitrary web script or HTML via quotes in (1) the css_exceptions parameter in vdesk/admincon/webyfiers.php and (2) the sql_matchscope parameter in vdesk/admincon/index.php.

Exploits (2)

exploitdb WORKING POC VERIFIED

by nnposter · textremotehardware

https://www.exploit-db.com/exploits/31885

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by nnposter · textremotehardware

https://www.exploit-db.com/exploits/31886

View Code ZIP pw:eip

References (7)

[Vendor Advisory] http://secunia.com/advisories/30550

[Vendor Advisory] http://www.vupen.com/english/advisories/2008/1765/references

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/42884

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/493149/100/0/threaded

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/29574

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id?1020205

[Third Party Advisory] http://securityreason.com/securityalert/3931

Scores

EPSS 0.1310

EPSS Percentile 94.0%

Classification

CWE

CWE-79

Status draft

Affected Products (1)

f5/firepass_ssl_vpn

Timeline

Published Jun 10, 2008

Tracked Since Feb 18, 2026