CVE-2021-43853

Name of the Vulnerable Software and Affected Versions Ajax.NET Professional (AjaxPro) versions prior to 21.12.22.1

Description The issue relates to JavaScript object injection, which may result in cross-site scripting when leveraged by a malicious user. This occurs due to the deserialization of untrusted data, specifically the possibility of deserialization of arbitrary JavaScript objects. Cross-Site Scripting (XSS) attacks can inject malicious scripts into otherwise benign and trusted websites, and the effects vary in range from petty nuisance to significant security risk.

Recommendations For versions prior to 21.12.22.1, a workaround exists that replaces one of the core JavaScript files embedded in the library. To apply this workaround, use a XML configuration to replace the default JavaScript code with the version available on GitHub. Specifically, add the following configuration:

<configuration>
  <configSections>
    <sectionGroup name="ajaxNet">
      <section name="ajaxSettings" type="AjaxPro.AjaxSettingsSectionHandler,AjaxPro.2" requirePermission="false" restartOnExternalChanges="true"/>
    </sectionGroup>
  </configSections>
  <ajaxNet>
    <ajaxSettings>
      <coreScript>~/ajaxpro-core-fixed.js</coreScript>
    </ajaxSettings>
  </ajaxNet>
</configuration>

Then, copy the file core.js from the main project folder to the web server root folder and rename it to ajaxpro-core-fixed.js. Clients will need to refresh the web page to download the changed JavaScript code.