Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP AVR
Known Affected Versions:
11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11
Fixed In:
11.6.0, 11.5.2 HF1, 11.5.2, 11.4.1 HF4, 11.4.0 HF6, 11.3.0 HF9
Opened: Nov 21, 2013 Severity: 3-Major Related Article:
K17504
AVR will inject JavaScript although it should not.
AVR can invalidate a response, by injecting JavaScript in a page that is not actually an HTML page.
"Page Load Time" in analytic profile is turned on. Send HTTP request with content-type is text/html without the <head> tag.
Turn off "Page Load Time" in analytic profile
AVR now checks the Content-Type and the existence of the <head> header in the body of a response, before inserting CSPM JavaScript, so that it only injects the CSPM JavaScript into appropriately formatted HTML documents.