CVSS: 6.4EPSS: 0%CPEs: 54EXPL: 0CVE-2023-1298
https://notcve.org/view.php?id=CVE-2023-1298
06 Jul 2023 — ServiceNow has released upgrades and patches that address a Reflected Cross-Site scripting (XSS) vulnerability that was identified in the ServiceNow Polaris Layout. This vulnerability would enable an authenticated user to inject arbitrary scripts. • https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1310230 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 73EXPL: 1CVE-2022-43684 – ACL bypass in Reporting functionality
https://notcve.org/view.php?id=CVE-2022-43684
13 Jun 2023 — ServiceNow has released patches and an upgrade that address an Access Control List (ACL) bypass issue in ServiceNow Core functionality. Additional Details This issue is present in the following supported ServiceNow releases: * Quebec prior to Patch 10 Hot Fix 8b * Rome prior to Patch 10 Hot Fix 1 * San Diego prior to Patch 7 * Tokyo prior to Tokyo Patch 1; and * Utah prior to Utah General Availability If this ACL bypass issue were to be successfully exploited, it potentially could allow an authenticated use... • https://github.com/lolminerxmrig/CVE-2022-43684 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 5.5EPSS: 0%CPEs: 77EXPL: 0CVE-2023-1209
https://notcve.org/view.php?id=CVE-2023-1209
23 May 2023 — Cross-Site Scripting (XSS) vulnerabilities exist in ServiceNow records allowing an authenticated attacker to inject arbitrary scripts. • https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1262967 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 47EXPL: 0CVE-2022-46389 – Cross-Site Scripting (XSS) vulnerability found on logout functionality
https://notcve.org/view.php?id=CVE-2022-46389
17 Apr 2023 — There exists a reflected XSS within the logout functionality of ServiceNow versions lower than Quebec Patch 10 Hotfix 11b, Rome Patch 10 Hotfix 3b, San Diego Patch 9, Tokyo Patch 4, and Utah GA. This enables an unauthenticated remote attacker to execute arbitrary JavaScript code in the browser-based web console. • https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1272156 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 56EXPL: 0CVE-2022-46886
https://notcve.org/view.php?id=CVE-2022-46886
14 Apr 2023 — There exists an open redirect within the response list update functionality of ServiceNow. This allows attackers to redirect users to arbitrary domains when clicking on a URL within a service-now domain. • https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1219857 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.4EPSS: 0%CPEs: 57EXPL: 0CVE-2022-39048 – Cross-Site Scripting (XSS) vulnerability in ServiceNow UI page assessment_redirect
https://notcve.org/view.php?id=CVE-2022-39048
10 Apr 2023 — A XSS vulnerability was identified in the ServiceNow UI page assessment_redirect. To exploit this vulnerability, an attacker would need to persuade an authenticated user to click a maliciously crafted URL. Successful exploitation potentially could be used to conduct various client-side attacks, including, but not limited to, phishing, redirection, theft of CSRF tokens, and use of an authenticated user's browser or session to attack other systems. • https://support.servicenow.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2022-42704
https://notcve.org/view.php?id=CVE-2022-42704
12 Jan 2023 — A cross-site scripting (XSS) vulnerability in Employee Service Center (esc) and Service Portal (sp) in ServiceNow Quebec, Rome, and San Diego allows remote attackers to inject arbitrary web script via the Standard Ticket Conversations widget. Una vulnerabilidad de cross-site scripting (XSS) en el Employee Service Center (esc) y Service Portal (sp) en ServiceNow Quebec, Roma y San Diego permite a atacantes remotos inyectar scripts web arbitrario a través del widget Standard Ticket Conversations. • https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1216141 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2022-38463
https://notcve.org/view.php?id=CVE-2022-38463
23 Aug 2022 — ServiceNow through San Diego Patch 4b and Patch 6 allows reflected XSS in the logout functionality. ServiceNow versiones hasta San Diego Patch 4b y Patch 6, permite un ataque de tipo XSS reflejado en la funcionalidad logout. • https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1156793 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 7EXPL: 0CVE-2022-38172
https://notcve.org/view.php?id=CVE-2022-38172
23 Aug 2022 — ServiceNow through San Diego Patch 3 allows XSS via the name field during creation of a new dashboard for the Performance Analytics dashboard. ServiceNow versiones hasta San Diego Patch 3 permite XSS por medio del campo name durante la creación de un nuevo panel de control para el panel de análisis de rendimiento. • https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1122640 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •