CVE-2022-28707: 
F5 BIG-IP Advanced Firewall Manager vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability (CVE-2022-28707) exists in an undisclosed page of the BIG-IP Configuration utility (also referred to as the BIG-IP TMUI). This vulnerability affects F5 BIG-IP versions 16.1.x prior to 16.1.2.2, 15.1.x prior to 15.1.5.1, and 14.1.x prior to 14.1.4.6. The vulnerability was disclosed in May 2022 (NVD, SecurityWeek).

The vulnerability allows an attacker to execute JavaScript code in the context of the currently logged-in user. The attacker needs to have at least 'guest' privileges to exploit this vulnerability. The vulnerability has been assigned different CVSS scores by different organizations - F5 Networks rated it with a CVSS v3.1 Base Score of 8.0 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, while NVD assigned a score of 5.4 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

If successfully exploited, this vulnerability allows an attacker to execute arbitrary JavaScript code in the context of the currently logged-in user, potentially leading to unauthorized access, data theft, or system manipulation (SecurityWeek).

F5 has released patched versions to address this vulnerability. Users should upgrade to versions 16.1.2.2, 15.1.5.1, or 14.1.4.6 or later depending on their current version. Note that software versions which have reached End of Technical Support (EoTS) are not evaluated (NVD).