CVE-2013-0150

Directory traversal vulnerability in an unspecified signed Java applet in the client-side components in F5 BIG-IP APM 10.1.0 through 10.2.4 and 11.0.0 through 11.3.0, FirePass 6.0.0 through 6.1.0 and 7.0.0, and other products "when APM is provisioned," allows remote attackers to upload and execute arbitrary files via a .. (dot dot) in the filename parameter.

Published: Aug 9, 2013
Updated: Nov 9, 2025
CVE: CVE-2013-0150
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
f5 / firepass	7.0.0	7.0.0.x
f5 / big-ip_advanced_firewall_manager	11.3.0	11.3.0.x
f5 / big-ip_policy_enforcement_manager	11.3.0	11.3.0.x
f5 / big-ip_access_policy_manager	10.1.0	10.2.4.x
f5 / big-ip_edge_gateway	10.1.0	10.2.4.x
f5 / big-ip_edge_gateway	11.0.0	11.3.0.x
f5 / big-ip_webaccelerator	11.0.0	11.3.0.x
f5 / big-ip_wan_optimization_manager	11.0.0	11.3.0.x
f5 / firepass	6.0.0	6.1.0.x
f5 / big-ip_link_controller	11.0.0	11.3.0.x
f5 / big-ip_global_traffic_manager	11.0.0	11.3.0.x
f5 / big-ip_protocol_security_module	11.0.0	11.3.0.x
f5 / big-ip_access_policy_manager	11.0.0	11.3.0.x
f5 / big-ip_local_traffic_manager	11.0.0	11.3.0.x
f5 / big-ip_application_security_manager	11.0.0	11.3.0.x
f5 / big-ip_analytics	11.0.0	11.3.0.x
f5 / big-ip_wan_optimization_manager	10.1.0	10.2.4.x
f5 / big-ip_webaccelerator	10.1.0	10.2.4.x
f5 / big-ip_protocol_security_module	10.1.0	10.2.4.x
f5 / big-ip_link_controller	10.1.0	10.2.4.x
f5 / big-ip_global_traffic_manager	10.1.0	10.2.4.x
f5 / big-ip_application_security_manager	10.1.0	10.2.4.x
f5 / big-ip_local_traffic_manager	10.1.0	10.2.4.x

Vulnerability Database

309,961

CVE-2013-0150

Deep Security Visibility Without the Complexity