Bug ID 2259165: Input Validation on APM Logon Page

Last Modified: Jun 17, 2026

Affected Product(s):
BIG-IP APM(all modules)

Fixed In:
17.5.1.6, 17.1.3.2

Opened: Mar 29, 2026

Severity: 2-Critical

Symptoms

The logon page in the per-session policy currently lacks user input validation for invalid characters.

Impact

The logon page does not validate user input and directly stores the provided value as a session variable.

Conditions

The logon page is configured within the APM per session policy

Workaround

None

Fix Information

The logon page has been updated to include the following input validations: -- Fields of type TEXT now restrict the use of specific characters: single-quote (ASCII value 0x27), double-quote (ASCII value 0x22), pipe (ASCII value 0x7C), greater-than (ASCII value 0x3E), and less-than (ASCII value 0x3C). -- For TEXT fields with the parameter name "username," the input is limited to a maximum length of 256 characters.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips