La Sostenibilità per TIM

Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci

Ultimi Comunicati Stampa

Redazione ufficio stampa

Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati

CVE-2022-27880

CVE-2022-27880 – F5 Traffix Signal Delivery Controller

Vulnerability Description: Stored Cross-Site Scripting - CWE-79
Software Version: 5.1.0, 5.2.0
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-27880
CVSv3: 4.8
Severity
: Medium
Credits:
 Valerio Alessandroni, Matteo Brutti, Massimiliano Brolli

The Web application of F5 SDC doesn't check properly the parameters sent as input in HTTP requests, before saving them in the server. In addition, the JavaScript malicious content is then reflected back to the end user and executed by the web browser.

Step-by-step instructions and PoC

An authenticated remote user can inject arbitrary code aiming to trigger malicious javascript code on browsers which visit infected pages

Affected Endpoints

Malicious javascript code is injected through the parameter “User Name” as shown below:

The previously injected malicious code is stored within the page.