Enable AJAXEvaluate should be disabled
Impact area
Security
Severity
High
Affected element
System property
Rule ID
SN-0184Impact
In some circumstances it is possible for the client to generate arbitrary script code and send it for evaluation to the server. For instance, by using the API call AJAXEvaluate, and by specifying Javascript formulas in query filters.
Remediation
Set the system property "glide.script.allow.ajaxevaluate" to false to disable the use of the API call AJAXEvaluate.
Time to fix
15 min
References
This rule is linked to Common Weakness Enumeration CWE-150 Improper Neutralization of Escape.