CVE-2024-5890

Summary

ServiceNow has addressed an HTML injection vulnerability that was identified in the Now Platform. This vulnerability could potentially enable an unauthenticated user to modify a web page or redirect users to another website.

ServiceNow released updates to customers that addressed this vulnerability. If you have not done so already, we recommend applying security patches relevant to your instance(s) as soon as possible.

Affected Software

VendorProductVersion RangeStatus
ServiceNowNow Platform0 < Utah Patch 8 Hot Fix 1affected
ServiceNowNow Platform0 < Vancouver Patch 10affected
ServiceNowNow Platform0 < Vancouver Patch 9affected
ServiceNowNow Platform0 < Washington DC Early Accessaffected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References