AJAXGlideRecord ACL Checking should be enabled

Rule ID

Impact

From within client scripts, it is possible to query arbitrary data from the server via the GlideAjax API, by using a syntax similar to a server-side glide record. Unless ACLs are checked, this can cause data leaks

Remediation

Enable the AJAXGlideRecord ACL property: "glide.script.secure.ajaxgliderecord". Any scripts using GlideAjax should be tested thoroughly to ensure that loss of functionality does not occur.

Time to fix

15 min

References

This rule is linked to Common Weakness Enumeration CWE-862 Missing Authorization.