Stored XSS Vulnerability in ServiceNow IT Service Management Products
CVE-2019-20768

5.4MEDIUM

Key Information:

Vendor: Servicenow
Status: It Service Management
Vendor: CVE Published:; 5 May 2020

What is CVE-2019-20768?

ServiceNow IT Service Management products, specifically Kingston through Patch 14-1, London through Patch 7, and Madrid before Patch 4, are susceptible to a stored XSS vulnerability. This flaw occurs via the manipulation of sysparm_item_guid and sys_id parameters within an Incident Request to service_catalog.do. Attackers can exploit this vulnerability to execute arbitrary scripts in the context of users' browsers, potentially compromising sensitive data and user sessions.

References

https://outpost24.com/blog?tags=307

x_refsource_MISC

https://outpost24.com/blog/Responsible-disclosure-Multipl...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
May 5, 2020
Vulnerability Reserved
Apr 15, 2020

Servicenow

What is CVE-2019-20768?

References

CVSS V3.1

Timeline