AJAXGlideRecord ACL Checking should be enabled
Impact area
Security
Severity
High
Affected element
System property
Rule ID
SN-0185Impact
From within client scripts, it is possible to query arbitrary data from the server via the GlideAjax API, by using a syntax similar to a server-side glide record. Unless ACLs are checked, this can cause data leaks
Remediation
Enable the AJAXGlideRecord ACL property: "glide.script.secure.ajaxgliderecord". Any scripts using GlideAjax should be tested thoroughly to ensure that loss of functionality does not occur.
Time to fix
15 min
References
This rule is linked to Common Weakness Enumeration CWE-862 Missing Authorization.