CVE-2024-8923

EUVD-2024-49486
ServiceNow has addressed an input validation vulnerability that was identified in the Now Platform. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow deployed an update to hosted instances and ServiceNow provided the update to our partners and self-hosted customers. Further, the vulnerability is addressed in the listed patches and hot fixes.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 75%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
servicenowservicenow
Vancouver ≤
𝑥
< Vancouver Patch 9 Hot Fix 2a
ADP
servicenowservicenow
Vancouver ≤
𝑥
< Vancouver Patch 10
ADP
servicenowservicenow
Washington_DC ≤
𝑥
< Washington DC Patch 4 Hot Fix 1a
ADP
servicenowservicenow
Washington_DC ≤
𝑥
< Washington DC Patch 5
ADP
servicenowservicenow
Xanadu ≤
𝑥
< Xanadu GA Release
ADP
Common Weakness Enumeration
References
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1706070