Last Modified: Jun 17, 2026
Affected Product(s):
BIG-IP APM
Fixed In:
17.5.1.6, 17.1.3.2
Opened: Mar 29, 2026 Severity: 2-Critical
The logon page in the per-session policy currently lacks user input validation for invalid characters.
The logon page does not validate user input and directly stores the provided value as a session variable.
The logon page is configured within the APM per session policy
None
The logon page has been updated to include the following input validations: -- Fields of type TEXT now restrict the use of specific characters: single-quote (ASCII value 0x27), double-quote (ASCII value 0x22), pipe (ASCII value 0x7C), greater-than (ASCII value 0x3E), and less-than (ASCII value 0x3C). -- For TEXT fields with the parameter name "username," the input is limited to a maximum length of 256 characters.