CVE-2022-28716

HIGH

BIG-IP <16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5, 12.1.x, 11.6.x - XSS

Title source: llm
STIX 2.1

Description

On 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x 11.6.x, a DOM-based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP AFM, CGNAT, and PEM Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

References (1)

Core 1
Core References
Mitigation, Vendor Advisory x_refsource_misc
https://support.f5.com/csp/article/K25451853

Scores

CVSS v3 7.5
EPSS 0.0074
EPSS Percentile 73.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-79
Status published
Products (3)
f5/big-ip_advanced_firewall_manager 11.6.1 - 11.6.5
f5/big-ip_carrier-grade_nat 11.6.1 - 11.6.5
f5/big-ip_policy_enforcement_manager 11.6.1 - 11.6.5
Published May 05, 2022
Tracked Since Feb 18, 2026