CVE-2022-28716: 
F5 BIG-IP Advanced Firewall Manager vulnerability analysis and mitigation

CVE-2022-28716 is a DOM-based cross-site scripting (XSS) vulnerability that affects BIG-IP AFM, CGNAT, and PEM Configuration utility. The vulnerability was discovered and disclosed in May 2022, affecting multiple versions of F5's BIG-IP products including 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x (NVD).

The vulnerability exists in an undisclosed page of the BIG-IP Configuration utility and allows an attacker to execute JavaScript in the context of the currently logged-in user. The severity assessment shows a CVSS v3.1 base score of 8.8 (HIGH) according to NVD, with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. F5 Networks assessed it with a slightly lower score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows attackers to execute JavaScript code in the context of the currently logged-in user's session. This could potentially lead to unauthorized access to sensitive information, manipulation of system settings, or other malicious actions within the scope of the user's permissions (NVD).

F5 Networks has released patched versions to address this vulnerability. Users should upgrade to version 16.1.2.2, 15.1.5.1, 14.1.4.6, or 13.1.5 depending on their current version branch. Note that versions 12.1.x and 11.6.x will not receive fixes as they have reached End of Technical Support (EoTS) (NVD).