Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP FPS
Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1
Fixed In:
14.1.0, 13.1.0
Opened: May 14, 2017 Severity: 2-Critical
Real-time encryption for non-password field when full-AJAX encryption is enabled.
when malware changes input value with JS code, the system sends this value instead of the RTE one.
1. Configure specific parameter with encryption enabled. 2. The page uses AJAX. 3. Change the configured parameter value in the page after it has been populated by the end user, and then submit the page.
None.
The system now sends the real value from RTE in this case.