CVE-2022-46389

EPSS 0.49%
Veröffentlicht 17.04.2023 22:15:07
Zuletzt bearbeitet 21.11.2024 07:30:30
Quelle psirt@servicenow.com
CVE-Watchlists
Login
Unerledigt
Login

There exists a reflected XSS within the logout functionality of ServiceNow versions lower than Quebec Patch 10 Hotfix 11b, Rome Patch 10 Hotfix 3b, San Diego Patch 9, Tokyo Patch 4, and Utah GA. This enables an unauthenticated remote attacker to execute arbitrary JavaScript code in the browser-based web console.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Servicenow ≫ Servicenow Versionquebec Update-

Servicenow ≫ Servicenow Versionrome Update-

Servicenow ≫ Servicenow Versionrome Updateearly_availability

Servicenow ≫ Servicenow Versionrome Updatepatch_1

Servicenow ≫ Servicenow Versionrome Updatepatch_1_hotfix_1a

Servicenow ≫ Servicenow Versionrome Updatepatch_1_hotfix_1b

Servicenow ≫ Servicenow Versionrome Updatepatch_10

Servicenow ≫ Servicenow Versionrome Updatepatch_2

Servicenow ≫ Servicenow Versionrome Updatepatch_3

Servicenow ≫ Servicenow Versionrome Updatepatch_4

Servicenow ≫ Servicenow Versionrome Updatepatch_4_hotfix_1

Servicenow ≫ Servicenow Versionrome Updatepatch_4_hotfix_1a

Servicenow ≫ Servicenow Versionrome Updatepatch_4_hotfix_1b

Servicenow ≫ Servicenow Versionrome Updatepatch_5

Servicenow ≫ Servicenow Versionrome Updatepatch_6

Servicenow ≫ Servicenow Versionrome Updatepatch_7

Servicenow ≫ Servicenow Versionrome Updatepatch_7a

Servicenow ≫ Servicenow Versionrome Updatepatch_7b

Servicenow ≫ Servicenow Versionrome Updatepatch_8

Servicenow ≫ Servicenow Versionrome Updatepatch_9

Servicenow ≫ Servicenow Versionrome Updatepatch_9a

Servicenow ≫ Servicenow Versionsan_diego Update-

Servicenow ≫ Servicenow Versionsan_diego Updatepatch_1

Servicenow ≫ Servicenow Versionsan_diego Updatepatch_1_hotfix_1

Servicenow ≫ Servicenow Versionsan_diego Updatepatch_1_hotfix_1a

Servicenow ≫ Servicenow Versionsan_diego Updatepatch_1_hotfix_1b

Servicenow ≫ Servicenow Versionsan_diego Updatepatch_2

Servicenow ≫ Servicenow Versionsan_diego Updatepatch_3

Servicenow ≫ Servicenow Versionsan_diego Updatepatch_4

Servicenow ≫ Servicenow Versionsan_diego Updatepatch_4a

Servicenow ≫ Servicenow Versionsan_diego Updatepatch_4b

Servicenow ≫ Servicenow Versionsan_diego Updatepatch_5

Servicenow ≫ Servicenow Versionsan_diego Updatepatch_6

Servicenow ≫ Servicenow Versionsan_diego Updatepatch_7

Servicenow ≫ Servicenow Versionsan_diego Updatepatch_7b

Servicenow ≫ Servicenow Versionsan_diego Updatepatch_8

Servicenow ≫ Servicenow Versiontokyo Update-

Servicenow ≫ Servicenow Versiontokyo Updateearly_availability

Servicenow ≫ Servicenow Versiontokyo Updatepatch_1

Servicenow ≫ Servicenow Versiontokyo Updatepatch_1a

Servicenow ≫ Servicenow Versiontokyo Updatepatch_1b

Servicenow ≫ Servicenow Versiontokyo Updatepatch_2

Servicenow ≫ Servicenow Versiontokyo Updatepatch_3

Servicenow ≫ Servicenow Versionutah Update-

Servicenow ≫ Servicenow Versionutah Updateearly_availability

Servicenow ≫ Servicenow Versionutah Updatepatch_1

Servicenow ≫ Servicenow Versionutah Updatepatch_2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.49%	0.652

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
psirt@servicenow.com	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1272156

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-46389

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-46389

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-46389

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-46389