BugZero | F5 BugID 438604 - AVR JavaScript injection takes place regardless of...

F5 - Defect ID: 438604

AVR JavaScript injection takes place regardless of content-type value

F5 - Defect ID: 438604

AVR JavaScript injection takes place regardless of content-type value

Last updated on July 13th, 2024

BugZero Risk Score
7.1 High

Overall: 7.1

Severity: 7.3

Community: 4.1

Lifecycle: 7.1

What is the BugZero Risk Score?

F5 Integration

Learn more about where this data comes from

F5 Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Priority: 3-Major
Status: Verified
Impact Category: Application Visibility and Reporting

Description

Symptoms

AVR will inject JavaScript although it should not.

Impact

AVR can invalidate a response, by injecting JavaScript in a page that is not actually an HTML page.

Conditions

"Page Load Time" in analytic profile is turned on. Send HTTP request with content-type is text/html without the <head> tag.

Workaround

Turn off "Page Load Time" in analytic profile

Fix Information

AVR now checks the Content-Type and the existence of the <head> header in the body of a response, before inserting CSPM JavaScript, so that it only injects the CSPM JavaScript into appropriately formatted HTML documents.

Change history

2025-03-22 Added: 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11

Top F5 Defects by Risk Score

No bugs this month

F5 Integration

Learn more about where this data comes from

F5 Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

F5 - Defect ID: 438604

AVR JavaScript injection takes place regardless of content-type value

F5 - Defect ID: 438604

AVR JavaScript injection takes place regardless of content-type value

Last updated on July 13th, 2024

BugZero Risk Score
7.1 High

Bug Details

Symptoms

Impact

Conditions

Workaround

Fix Information

Links

Top F5 Defects by Risk Score

Ready to prevent the next vendor outage?

OPERATIONAL DEFECT DATABASE

F5 - Defect ID: 438604

AVR JavaScript injection takes place regardless of content-type value

F5 - Defect ID: 438604

AVR JavaScript injection takes place regardless of content-type value

Last updated on July 13th, 2024

BugZero Risk Score7.1 High

Bug Details

Symptoms

Impact

Conditions

Workaround

Fix Information

Links

Top F5 Defects by Risk Score

Ready to prevent the next vendor outage?

BugZero Risk Score
7.1 High