Enable AJAXEvaluate should be disabled

Rule ID

Impact

In some circumstances it is possible for the client to generate arbitrary script code and send it for evaluation to the server. For instance, by using the API call AJAXEvaluate, and by specifying Javascript formulas in query filters.

Remediation

Set the system property "glide.script.allow.ajaxevaluate" to false to disable the use of the API call AJAXEvaluate.

Time to fix

15 min

References

This rule is linked to Common Weakness Enumeration CWE-150 Improper Neutralization of Escape.