CVE-2021-22993 in BIG-IP Advanced WAF
Summary
by MITRE • 04/01/2021
On BIG-IP Advanced WAF and BIG-IP ASM versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, DOM-based XSS on DoS Profile properties page. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/27/2026
This vulnerability exists in F5 BIG-IP Advanced WAF and BIG-IP ASM systems across multiple version ranges, specifically affecting the DoS Profile properties page where DOM-based cross-site scripting occurs. The flaw represents a critical security weakness that allows attackers to inject malicious scripts into the web application's document object model through manipulated input parameters. This vulnerability is categorized under CWE-79 as Cross-Site Scripting and falls within the broader ATT&CK technique T1059.007 for Command and Scripting Interpreter, specifically targeting client-side script execution.
The technical implementation of this DOM-based XSS vulnerability occurs when user-supplied input is improperly sanitized or validated before being rendered in the DoS Profile properties page interface. Attackers can craft malicious payloads that exploit the lack of proper input validation mechanisms, allowing them to execute arbitrary JavaScript code within the context of a victim's browser session. The vulnerability specifically affects the web application firewall's administrative interface where security policies are configured and managed, making it particularly dangerous as it could enable attackers to manipulate or bypass security protections.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with potential access to sensitive administrative functions within the BIG-IP system. An attacker who successfully exploits this vulnerability could potentially modify DoS profile configurations, disable security protections, or even gain unauthorized access to other system components through session hijacking or credential theft. The vulnerability's presence in multiple version ranges indicates a widespread issue affecting both current and legacy deployments of F5's application security solutions.
Organizations should immediately implement mitigations including applying the latest available patches from F5, which address this specific DOM-based XSS vulnerability across all affected versions. Network segmentation and access controls should be strengthened around administrative interfaces to limit potential attack vectors, while input validation mechanisms should be enhanced to properly sanitize all user-supplied data before rendering within web application contexts. Additional protective measures include implementing content security policies to prevent unauthorized script execution and monitoring for suspicious activity patterns that may indicate exploitation attempts. The vulnerability demonstrates the critical importance of maintaining up-to-date security patches and proper input validation practices in enterprise security infrastructure solutions, particularly those handling sensitive policy configuration data.