CVE-2014-3220

F5 Big-iq - Credentials Management

Title source: rule

Description

F5 BIG-IQ Cloud and Security 4.0.0 through 4.1.0 allows remote authenticated users to change the password of arbitrary users via the name parameter in a request to the user's page in mgmt/shared/authz/users/.

Exploits (1)

exploitdb WORKING POC

by Brandon Perry · rubyremotehardware

https://www.exploit-db.com/exploits/33143

View Code ZIP pw:eip

References (10)

[Mailing List] http://seclists.org/fulldisclosure/2014/May/10

[Exploit] http://seclists.org/fulldisclosure/2014/May/11

[Mailing List] http://seclists.org/fulldisclosure/2014/May/16

[Third Party Advisory] http://secunia.com/advisories/58440

[Vendor Advisory] http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15229.html

[Various Sources] http://volatile-minds.blogspot.com/2014/05/f5-big-iq-v41020130-authenticated.html

[Exploit] https://gist.github.com/brandonprry/2e73acd63094fa2a4f63

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/67191

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/67227

[Exploit, Third Party Advisory] http://www.exploit-db.com/exploits/33143

Scores

EPSS 0.3185

EPSS Percentile 96.8%

Details

CWE

CWE-255

Status published

Products (1)

f5/big-iq 4.1.0.2013.0

Published May 05, 2014

Tracked Since Feb 18, 2026