Cross-Site Scripting (XSS) vulnerability found on logout functionality
CVE-2022-46389

6.1MEDIUM

Key Information:

Vendor: Servicenow
Status: Now Platform
Vendor: CVE Published:; 17 April 2023

What is CVE-2022-46389?

There exists a reflected XSS within the logout functionality of ServiceNow versions lower than Quebec Patch 10 Hotfix 11b, Rome Patch 10 Hotfix 3b, San Diego Patch 9, Tokyo Patch 4, and Utah GA. This enables an unauthenticated remote attacker to execute arbitrary JavaScript code in the browser-based web console.

Affected Version(s)

Now Platform Quebec

Now Platform Rome

Now Platform San Diego

References

https://support.servicenow.com/kb?id=kb_article_view&sysp...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 17, 2023
Vulnerability Reserved
Dec 4, 2022

Credit

Bao Bui a.k.a 0xd0ff9 from VNG Security Team