CVSS: 6.4EPSS: 0%CPEs: 54EXPL: 0CVE-2023-1298
https://notcve.org/view.php?id=CVE-2023-1298
06 Jul 2023 — ServiceNow has released upgrades and patches that address a Reflected Cross-Site scripting (XSS) vulnerability that was identified in the ServiceNow Polaris Layout. This vulnerability would enable an authenticated user to inject arbitrary scripts. • https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1310230 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 73EXPL: 1CVE-2022-43684 – ACL bypass in Reporting functionality
https://notcve.org/view.php?id=CVE-2022-43684
13 Jun 2023 — ServiceNow has released patches and an upgrade that address an Access Control List (ACL) bypass issue in ServiceNow Core functionality. Additional Details This issue is present in the following supported ServiceNow releases: * Quebec prior to Patch 10 Hot Fix 8b * Rome prior to Patch 10 Hot Fix 1 * San Diego prior to Patch 7 * Tokyo prior to Tokyo Patch 1; and * Utah prior to Utah General Availability If this ACL bypass issue were to be successfully exploited, it potentially could allow an authenticated use... • https://github.com/lolminerxmrig/CVE-2022-43684 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 5.5EPSS: 0%CPEs: 77EXPL: 0CVE-2023-1209
https://notcve.org/view.php?id=CVE-2023-1209
23 May 2023 — Cross-Site Scripting (XSS) vulnerabilities exist in ServiceNow records allowing an authenticated attacker to inject arbitrary scripts. • https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1262967 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 47EXPL: 0CVE-2022-46389 – Cross-Site Scripting (XSS) vulnerability found on logout functionality
https://notcve.org/view.php?id=CVE-2022-46389
17 Apr 2023 — There exists a reflected XSS within the logout functionality of ServiceNow versions lower than Quebec Patch 10 Hotfix 11b, Rome Patch 10 Hotfix 3b, San Diego Patch 9, Tokyo Patch 4, and Utah GA. This enables an unauthenticated remote attacker to execute arbitrary JavaScript code in the browser-based web console. • https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1272156 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 57EXPL: 0CVE-2022-39048 – Cross-Site Scripting (XSS) vulnerability in ServiceNow UI page assessment_redirect
https://notcve.org/view.php?id=CVE-2022-39048
10 Apr 2023 — A XSS vulnerability was identified in the ServiceNow UI page assessment_redirect. To exploit this vulnerability, an attacker would need to persuade an authenticated user to click a maliciously crafted URL. Successful exploitation potentially could be used to conduct various client-side attacks, including, but not limited to, phishing, redirection, theft of CSRF tokens, and use of an authenticated user's browser or session to attack other systems. • https://support.servicenow.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •