An authenticated attacker granted a Viewer or Auditor role on a BIG-IQ can upload arbitrary files using an undisclosed iControl REST endpoint. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Credits
F5 acknowledges Mateusz Dąbrowski of ING for bringing this issue to our attention and following the highest standards of coordinated disclosure.
