Security
SeverityHigh
Affected ElementSystem property
Rule ID #
SN-0185
Impact #
From within client scripts, it is possible to query arbitrary data from the server via the GlideAjax API, by using a syntax similar to a server-side glide record. Unless ACLs are checked, this can cause data leaks
Remediation #
Enable the AJAXGlideRecord ACL property: “glide.script.secure.ajaxgliderecord”. Any scripts using GlideAjax should be tested thoroughly to ensure that loss of functionality does not occur.
Time to fix
15 min
References #
This rule is linked to Common Weakness Enumeration CWE-862 Missing Authorization.