Ashmind

**Name of the Vulnerable Software and Affected Versions** Ajax.NET Professional (AjaxPro) versions prior to 21.12.22.1 **Description** The issue relates to JavaScript object injection, which may result in cross-site scripting when leveraged by a malicious user. This occurs due to the deserialization of untrusted data, specifically the possibility of deserialization of arbitrary JavaScript objects. Cross-Site Scripting (XSS) attacks can inject malicious scripts into otherwise benign and trusted websites, and the effects vary in range from petty nuisance to significant security risk. **Recommendations** For versions prior to 21.12.22.1, a workaround exists that replaces one of the core JavaScript files embedded in the library. To apply this workaround, use a XML configuration to replace the default JavaScript code with the version available on GitHub. Specifically, add the following configuration: ```xml <configuration> <configSections> <sectionGroup name="ajaxNet"> <section name="ajaxSettings" type="AjaxPro.AjaxSettingsSectionHandler,AjaxPro.2" requirePermission="false" restartOnExternalChanges="true"/> </sectionGroup> </configSections> <ajaxNet> <ajaxSettings> <coreScript>~/ajaxpro-core-fixed.js</coreScript> </ajaxSettings> </ajaxNet> </configuration> ``` Then, copy the file core.js from the main project folder to the web server root folder and rename it to ajaxpro-core-fixed.js. Clients will need to refresh the web page to download the changed JavaScript code.