CVE-2023-49289: 
C# vulnerability analysis and mitigation

Ajax.NET Professional (AjaxPro) is an AJAX framework for Microsoft ASP.NET that creates proxy JavaScript classes for client-side server method invocation. A cross-site scripting (XSS) vulnerability was identified in versions before 21.12.22.1, which was disclosed on December 4, 2023. The vulnerability affects the framework's JavaScript proxy class generation functionality (NVD, GitHub Advisory).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 base score of 5.4 (Medium) according to NIST, and 6.3 (Medium) according to GitHub. The issue stems from inadequate validation of user input that could lead to cross-site scripting attacks when generating JavaScript proxy classes (NVD).

The vulnerability could allow attackers to execute malicious scripts in the context of the affected web application. The severity of the impact varies depending on the sensitivity of the data handled by the vulnerable site and any implemented security mitigations (GitHub Advisory).

Users are advised to upgrade to version 21.12.22.1 or later. A temporary workaround exists that involves replacing one of the core JavaScript files embedded in the library. This can be done by copying the fixed core.js file from the main project folder to the web server root folder as 'ajaxpro-core-fixed.js' and configuring it through XML. Clients need to refresh their web pages to download the updated JavaScript code (GitHub Advisory).