A cross-site scripting (XSS) vulnerability exists in the BIG-IP ASM Configuration utility response and blocking pages. An authenticated user with administrative privileges can specify a response page with any content, including JavaScript code that will be executed when preview is opened. (CVE-2020-5932)
Impact
This vulnerability allows an authenticated attacker to execute a cross-site scripting (XSS) attack when another BIG-IP ASM authenticated administrative user previews the blocking page response body. The blocking page response body is located on the Blocking Page Default section of the Blocking and Response Pages tab in the security policy configuration.