Description

ServiceNow has a server-side template injection (SSTI) vulnerability that allows an unauthenticated attacker to execute arbitrary code, thereby compromising the system.

Remediation

Upgrade to the latest version of ServiceNow

References

CVE-2024-4879 - Jelly Template Injection Vulnerability in ServiceNow UI Macros

Chaining Three Bugs to Access All Your ServiceNow Data

Related Vulnerabilities

Python Cryptographic Issues Vulnerability (CVE-2012-1150)

ClipBucket Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2018-7666)

PHP-Fusion Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-23184)

Coppermine Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2008-7187)

MySQL CVE-2023-22103 Vulnerability (CVE-2023-22103)

Severity

Critical

Classification

CVE-2024-4879 CVE-2024-5217 CWE-1287 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Ssti Known Vulnerabilities