Synthesis
A security vulnerability with severity “critical” was found in ServiceNow UI Macros in the Vancouver and Washington D.C. versions. This vulnerability could allow a remote unauthenticated user to execute arbitrary code within the context of the platform.
Risk
Estimated impact of vulnerability on the reference community: MEDIUM/YELLOW (60/100)1.
Type
- Remote Code Execution
Affected products and versions
Utah:
- Patch 10, versions prior to Hot Fix 3
- Patch 10a, versions prior to Hot Fix 2
Vancouver
- Patch 6, versions prior to Hot Fix 2
- Patch 7, versions prior to Hot Fix 3b
- Patch 8, versions prior to Hot Fix 4
Washington DC
- Patch 1, versions prior to Hot Fix 2b
- Patch 2, versions prior to Hot Fix 2
- Patch 3, versions prior to Hot Fix 1
Mitigation actions
In line with the vendor’s statements, it is recommended to apply the available mitigations following the indications reported in the security bulletins in the References section.
Unique vulnerability identifiers
References
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1645154
1This estimate is carried out taking into account various parameters, including: CVSS, availability of patches/workarounds and PoC, diffusion of the affected software/devices in the reference community.
