Last Modified: Nov 07, 2022
Known Affected Versions:
13.1.0, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199
Opened: Feb 15, 2018 Severity: 3-Major
Ajax mapping may be set only when 1) ajax-encryption is enabled OR 2) ajax-integrity AND strong-integrity are enabled. The bug allows to set ajax-mapping even for the following (invalid) configuration: ajax-encryption: disabled ajax-integrity: enabled strong-integrity: disabled
System will set the ajax-mapping field when it should have been blocked.
1) ajax-encryption: disabled ajax-integrity: enabled strong-integrity: disabled 2) non-empty ajax-mapping
There is no workaround at this time.
FPS should block ajax-mapping configuration when the pre-conditions weren't met.