An insecure AES ECB mode is used for orig_uri parameter in an undisclosed /vdesk link of APM virtual server configured with an access profile, allowing a malicious user to build a redirect URI value using different blocks of cipher texts. (CVE-2018-5548)
Impact
An attacker can forge a URL with an obfuscated (encrypted and encoded) value in an orig_uriparameter. An authenticated user with an established access session to the BIG-IP APM system may be redirected to a malicious website following the forged URL.