Cross-site Scripting in Ajax.NET Professional
Description
Ajax.NET Professional (AjaxPro) is an AJAX framework for Microsoft ASP.NET which will create proxy JavaScript classes that are used on client-side to invoke methods on the web server. Affected versions of this package are vulnerable cross site scripting attacks. Releases before version 21.12.22.1 are affected. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Ajax.NET Professional (AjaxPro) versions before 21.12.22.1 are vulnerable to cross-site scripting (XSS) due to improper handling of untrusted data.
Vulnerability
Description
Ajax.NET Professional (AjaxPro) is a legacy AJAX framework for Microsoft ASP.NET that automatically generates proxy JavaScript classes for client-side method invocation. Versions prior to 21.12.22.1 are vulnerable to cross-site scripting (XSS) attacks. The root cause is the deserialization of untrusted JavaScript objects, which allows an attacker to inject malicious scripts into the application's output. This is classified as a case of Deserialization of Untrusted Data leading to XSS [1][2][4].
Attack
Vector
The vulnerability can be exploited when the framework processes specially crafted JSON or JavaScript serialized data from the client. No authentication is required, and the attack can be carried out remotely over the network. The attacker only needs to trick a user into interacting with a malicious request or page that triggers the vulnerable deserialization endpoint. The framework generates proxy JavaScript classes exposed by the AjaxPro.Utility.RegisterTypeForAjax method, which are then called from client-side code [3].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement, theft of sensitive information, or redirection to malicious sites. Since the vulnerability affects the core framework rendering, the impact is broad for any application using the affected versions [4].
Mitigation
The vulnerability is fixed in version 21.12.22.1 and later. Users are strongly advised to upgrade to the latest version available on NuGet. A workaround is available that replaces the core JavaScript file with a fixed version via configuration, but upgrading is the recommended solution. No other mitigations are known [1][2][4].
- AjaxNetProfessional 24.10.10.1
- NVD - CVE-2023-49289
- GitHub - michaelschwarz/Ajax.NET-Professional: Ajax.NET Professional (AjaxPro) is one of the first AJAX frameworks available for Microsoft ASP.NET and is working with many .NET frameworks starting with v1.1.
- Remote Code Execution Security Vulnerability
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
AjaxNetProfessionalNuGet | < 21.12.22.1 | 21.12.22.1 |
Affected products
3- Range: < 21.12.22.1
- michaelschwarz/Ajax.NET-Professionalv5Range: < 21.12.22.1
Patches
1c89e39b9679ffixed another XSS issue
2 files changed · +5 −9
AjaxPro/core.js+4 −8 modified@@ -179,7 +179,7 @@ Object.extend(AjaxPro, { var d = date.match(/Date\((.*?)\)/)[1]; return "new Date(" + parseInt(d) + ")"; } - else { // ISO Date 2007-12-31T23:59:59Z + /*else { // ISO Date 2007-12-31T23:59:59Z var matches = date.split(/[-,:,T,Z]/); if (matches.length == 7) { matches[1] = (parseInt(matches[1], 0) - 1).toString(); @@ -194,21 +194,17 @@ Object.extend(AjaxPro, { s += ","; } s += parseInt(matches[i], 10); + console.log(s); } if (isDate) { return "new Date(Date.UTC(" + s + "))"; } } - } + }*/ return str; }, parse: function (text) { - // not yet possible as we still return new type() JSON - // if (!(!(/[^,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/.test( - // text.replace(/"(\\.|[^"\\])*"/g, ''))) )) - // throw new Error("Invalid characters in JSON parse string."); - var regEx = /(\"\d{4}-\d{2}-\d{2}T\d{2}:\d{2}.*?\")|(\"\\\/Date\(.*?\)\\\/")/g; - text = text.replace(regEx, this.regExDate); + text = text.replace(/(\"\\\/Date\(\d+\)\\\/")/g, this.regExDate); return eval('(' + text + ')'); }, m: {
AjaxPro/Utilities/Constant.cs+1 −1 modified@@ -52,6 +52,6 @@ public sealed class Constant /// <summary> /// The assembly version. /// </summary> - public const string AssemblyVersion = "21.12.21.2"; + public const string AssemblyVersion = "21.12.22.1"; } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-8v6j-gc74-fmppghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-49289ghsaADVISORY
- github.com/michaelschwarz/Ajax.NET-Professional/commit/c89e39b9679fcb8ab6644fe21cc7e652cb615e2bghsax_refsource_MISCWEB
- github.com/michaelschwarz/Ajax.NET-Professional/security/advisories/GHSA-8v6j-gc74-fmppghsax_refsource_CONFIRMWEB
- www.nuget.org/packages/AjaxNetProfessionalghsaWEB
- www.nuget.org/packages/AjaxNetProfessional/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.