CVE-2022-46389
Summary
| CVE | CVE-2022-46389 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-04-17 22:15:00 UTC |
| Updated | 2023-04-27 19:50:00 UTC |
| Description | There exists a reflected XSS within the logout functionality of ServiceNow versions lower than Quebec Patch 10 Hotfix 11b, Rome Patch 10 Hotfix 3b, San Diego Patch 9, Tokyo Patch 4, and Utah GA. This enables an unauthenticated remote attacker to execute arbitrary JavaScript code in the browser-based web console. |
Risk And Classification
Problem Types: CWE-79
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Servicenow | Servicenow | quebec | - | All | All |
| Application | Servicenow | Servicenow | rome | - | All | All |
| Application | Servicenow | Servicenow | rome | early_availability | All | All |
| Application | Servicenow | Servicenow | rome | patch_1 | All | All |
| Application | Servicenow | Servicenow | rome | patch_10 | All | All |
| Application | Servicenow | Servicenow | rome | patch_1_hotfix_1a | All | All |
| Application | Servicenow | Servicenow | rome | patch_1_hotfix_1b | All | All |
| Application | Servicenow | Servicenow | rome | patch_2 | All | All |
| Application | Servicenow | Servicenow | rome | patch_3 | All | All |
| Application | Servicenow | Servicenow | rome | patch_4 | All | All |
| Application | Servicenow | Servicenow | rome | patch_4_hotfix_1 | All | All |
| Application | Servicenow | Servicenow | rome | patch_4_hotfix_1a | All | All |
| Application | Servicenow | Servicenow | rome | patch_4_hotfix_1b | All | All |
| Application | Servicenow | Servicenow | rome | patch_5 | All | All |
| Application | Servicenow | Servicenow | rome | patch_6 | All | All |
| Application | Servicenow | Servicenow | rome | patch_7 | All | All |
| Application | Servicenow | Servicenow | rome | patch_7a | All | All |
| Application | Servicenow | Servicenow | rome | patch_7b | All | All |
| Application | Servicenow | Servicenow | rome | patch_8 | All | All |
| Application | Servicenow | Servicenow | rome | patch_9 | All | All |
| Application | Servicenow | Servicenow | rome | patch_9a | All | All |
| Application | Servicenow | Servicenow | san_diego | - | All | All |
| Application | Servicenow | Servicenow | san_diego | patch_1 | All | All |
| Application | Servicenow | Servicenow | san_diego | patch_1_hotfix_1 | All | All |
| Application | Servicenow | Servicenow | san_diego | patch_1_hotfix_1a | All | All |
| Application | Servicenow | Servicenow | san_diego | patch_1_hotfix_1b | All | All |
| Application | Servicenow | Servicenow | san_diego | patch_2 | All | All |
| Application | Servicenow | Servicenow | san_diego | patch_3 | All | All |
| Application | Servicenow | Servicenow | san_diego | patch_4 | All | All |
| Application | Servicenow | Servicenow | san_diego | patch_4a | All | All |
| Application | Servicenow | Servicenow | san_diego | patch_4b | All | All |
| Application | Servicenow | Servicenow | san_diego | patch_5 | All | All |
| Application | Servicenow | Servicenow | san_diego | patch_6 | All | All |
| Application | Servicenow | Servicenow | san_diego | patch_7 | All | All |
| Application | Servicenow | Servicenow | san_diego | patch_7b | All | All |
| Application | Servicenow | Servicenow | san_diego | patch_8 | All | All |
| Application | Servicenow | Servicenow | tokyo | - | All | All |
| Application | Servicenow | Servicenow | tokyo | early_availability | All | All |
| Application | Servicenow | Servicenow | tokyo | patch_1 | All | All |
| Application | Servicenow | Servicenow | tokyo | patch_1a | All | All |
| Application | Servicenow | Servicenow | tokyo | patch_1b | All | All |
| Application | Servicenow | Servicenow | tokyo | patch_2 | All | All |
| Application | Servicenow | Servicenow | tokyo | patch_3 | All | All |
| Application | Servicenow | Servicenow | utah | - | All | All |
| Application | Servicenow | Servicenow | utah | early_availability | All | All |
| Application | Servicenow | Servicenow | utah | patch_1 | All | All |
| Application | Servicenow | Servicenow | utah | patch_2 | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [Security Advisory] CVE-2022-46389 - Cross-Site Scripting (XSS) vulnerability found on logout functionality - Global Security Support Center (GSSC) - Now Support Portal | MISC | support.servicenow.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Bao Bui a.k.a 0xd0ff9 from VNG Security Team
There are currently no legacy QID mappings associated with this CVE.