Cross-Site Scripting in AjaxNetProfessional
Description
Ajax.NET Professional (AjaxPro) is an AJAX framework available for Microsoft ASP.NET. Affected versions of this package are vulnerable to JavaScript object injection which may result in cross site scripting when leveraged by a malicious user. The affected core relates to JavaScript object creation when parsing json input. Releases before version 21.12.22.1 are affected. A workaround exists that replaces one of the core JavaScript files embedded in the library. See the GHSA-5q7q-qqw2-hjq7 for workaround details.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Ajax.NET Professional (AjaxPro) before version 21.12.22.1 is vulnerable to JavaScript object injection leading to cross-site scripting (XSS) when parsing untrusted JSON input.
Vulnerability
Ajax.NET Professional (AjaxPro) versions before 21.12.22.1 are vulnerable to JavaScript object injection due to unsafe handling of JSON deserialization [1][2]. The flaw resides in the core JSON parsing logic that creates JavaScript objects from attacker-controlled input, potentially allowing injection of arbitrary client-side scripts [3]. The vulnerability affects all releases prior to 21.12.22.1 [1].
Exploitation
An attacker does not require authentication if the web application accepts untrusted JSON input through AjaxPro methods [1][2]. The attacker crafts a malicious JSON payload that, when parsed by the affected core.js component, creates a JavaScript object containing a malicious script [3]. This payload is then executed in the context of the victim's browser during normal application usage [3].
Impact
Successful exploitation results in cross-site scripting (XSS), enabling the attacker to execute arbitrary JavaScript in the victim's browser session [1][3]. This can lead to data theft, session hijacking, defacement, or redirection to malicious sites [3]. The attacker operates at the privilege level of the authenticated user if the application requires authentication [3].
Mitigation
The vulnerability is patched in version 21.12.22.1 [1][3][4]. Users should upgrade to this or a later version immediately [3]. For those unable to upgrade, a workaround exists that replaces the vulnerable core.js file embedded in the library via an XML configuration setting described in the GHSA advisory [1][3]. Administrators should validate the integrity of binary DLLs from NuGet, as unofficial packages may still contain the vulnerable code [3].
- NVD - CVE-2021-43853
- GitHub - michaelschwarz/Ajax.NET-Professional: Ajax.NET Professional (AjaxPro) is one of the first AJAX frameworks available for Microsoft ASP.NET and is working with many .NET frameworks starting with v1.1.
- Cross-Site Scripting Security Vulnerability
- Release v21.12.22.1 · michaelschwarz/Ajax.NET-Professional
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
AjaxNetProfessionalNuGet | < 21.12.22.1 | 21.12.22.1 |
Affected products
2- michaelschwarz/Ajax.NET-Professionalv5Range: < 21.12.22.1
Patches
1c89e39b9679ffixed another XSS issue
2 files changed · +5 −9
AjaxPro/core.js+4 −8 modified@@ -179,7 +179,7 @@ Object.extend(AjaxPro, { var d = date.match(/Date\((.*?)\)/)[1]; return "new Date(" + parseInt(d) + ")"; } - else { // ISO Date 2007-12-31T23:59:59Z + /*else { // ISO Date 2007-12-31T23:59:59Z var matches = date.split(/[-,:,T,Z]/); if (matches.length == 7) { matches[1] = (parseInt(matches[1], 0) - 1).toString(); @@ -194,21 +194,17 @@ Object.extend(AjaxPro, { s += ","; } s += parseInt(matches[i], 10); + console.log(s); } if (isDate) { return "new Date(Date.UTC(" + s + "))"; } } - } + }*/ return str; }, parse: function (text) { - // not yet possible as we still return new type() JSON - // if (!(!(/[^,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/.test( - // text.replace(/"(\\.|[^"\\])*"/g, ''))) )) - // throw new Error("Invalid characters in JSON parse string."); - var regEx = /(\"\d{4}-\d{2}-\d{2}T\d{2}:\d{2}.*?\")|(\"\\\/Date\(.*?\)\\\/")/g; - text = text.replace(regEx, this.regExDate); + text = text.replace(/(\"\\\/Date\(\d+\)\\\/")/g, this.regExDate); return eval('(' + text + ')'); }, m: {
AjaxPro/Utilities/Constant.cs+1 −1 modified@@ -52,6 +52,6 @@ public sealed class Constant /// <summary> /// The assembly version. /// </summary> - public const string AssemblyVersion = "21.12.21.2"; + public const string AssemblyVersion = "21.12.22.1"; } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-5q7q-qqw2-hjq7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-43853ghsaADVISORY
- github.com/michaelschwarz/Ajax.NET-Professional/commit/c89e39b9679fcb8ab6644fe21cc7e652cb615e2bghsax_refsource_MISCWEB
- github.com/michaelschwarz/Ajax.NET-Professional/releases/tag/v21.12.22.1ghsax_refsource_MISCWEB
- github.com/michaelschwarz/Ajax.NET-Professional/security/advisories/GHSA-5q7q-qqw2-hjq7ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.