Forum Discussion

bc81987's avatar
bc81987
Icon for Nimbostratus rankNimbostratus
May 15, 2024

CWE-20: Improper Input Validation

Good afternoon,   We've recently had a burp suite scan done on our F5 pair. This was the result: The application may be vulnerable to DOM-based DOM data manipulation. Data is read from window.loc...
security
Lucas_Thompson's avatar
Lucas_Thompson
Icon for Employee rankEmployee
May 15, 2024

Thanks for the question. Was there a URL associated with this error report? Are you using APM? Did you provide the scanner logon credentials so it could authenticate to the admin GUI or APM end-user logon page?

I do see a helper function that's used in the APM end-user logon page, decision box page, and endpoint-inspector status page that might trigger this alert, but it doesn't seem to be used in a way that's exploitable.

 

Vulnerability reports can be concerning. If you'd like a faster or tracked response on this question, get as many details as you can and please feel free to open a support ticket:
https://my.f5.com/manage/s/article/K2633

 

bc81987's avatar
bc81987
Icon for Nimbostratus rankNimbostratus
May 16, 2024

Yes there is a URL and we're using APM. Scanner has logon credentials. Everything seems to be working as intended. The issue is how to resolve this. Will an update from "BIG-IP v15.1.10.3 (Build 0.0.12)" work. If so, what version?

I have a ticket in with F5, but I haven't heard back from the solution engineer since 5/8. I'll reach out again.

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Jun 03, 2024

    Did you hear something from F5 support?

     

    Without exact details it is going to be difficult to say something here.