CVE-2022-23008
MEDIUMF5 NGINX Controller API Management 3.18.0-3.19.0 - Authenticated JavaScript Injection via Undisclosed API Endpoints
Title source: llmDescription
On NGINX Controller API Management versions 3.18.0-3.19.0, an authenticated attacker with access to the "user" or "admin" role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_misc
https://support.f5.com/csp/article/K57735782
Scores
CVSS v3
5.4
EPSS
0.0025
EPSS Percentile
48.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-94
CWE-79
Status
published
Products (1)
f5/nginx_controller_api_management
3.18.0 - 3.19.1
Published
Jan 25, 2022
Tracked Since
Feb 18, 2026