CVE-2023-1298
published 2023-07-06CVE-2023-1298: ServiceNow has released upgrades and patches that address a Reflected Cross-Site scripting (XSS) vulnerability that was identified in the ServiceNow Polaris…
PriorityP423medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.34%
26.3th percentile
ServiceNow has released upgrades and patches that address a Reflected Cross-Site scripting (XSS) vulnerability that was identified in the ServiceNow Polaris Layout. This vulnerability would enable an authenticated user to inject arbitrary scripts.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| servicenow | now_user_experience | < San Diego Patch 10 | San Diego Patch 10 |
| servicenow | now_user_experience | < Tokyo Patch 4b | Tokyo Patch 4b |
| servicenow | now_user_experience | < Tokyo Patch 6 | Tokyo Patch 6 |
| servicenow | now_user_experience | < Utah Patch 1 | Utah Patch 1 |
| servicenow | servicenow | — | — |
| servicenow | servicenow | — | — |
| servicenow | servicenow | — | — |
| tianocore | edk2 | >= 0 < 2022.02-3ubuntu0.22.04.5 | 2022.02-3ubuntu0.22.04.5 |
| tianocore | edk2 | >= 0 < 2022.02-3ubuntu0.22.04.4 | 2022.02-3ubuntu0.22.04.4 |
| tianocore | edk2 | >= 0 < 2024.02-2ubuntu0.7 | 2024.02-2ubuntu0.7 |
| tianocore | edk2 | >= 0 < 2024.02-2ubuntu0.6 | 2024.02-2ubuntu0.6 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv7.4HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
edk2 regression
osv·2025-11-28·CVSS 7.4
CVE-2023-45236 edk2 regression
edk2 regression
USN-7894-1 fixed vulnerabilities in EDK II. The update introduced a
regression in the UEFI network boot. This update reverts the corresponding
fixes for CVE-2023-45236 and CVE-2023-45237 pending further investigation.
We apologize for the inconvenience.
Original advisory details:
It was discovered that EDK II was susceptible to a predictable TCP Initial
Sequence Number. An attacker could possibly use this issue to gain
unauthorized access. This issue only affected Ubuntu 22.04 LTS, and Ubuntu
24.04 LTS. (CVE-2023-45236, CVE-2023-45237)
It was discovered that EDK II incorrectly handled S3 sleep. An attacker
could possibly use this issue to cause a denial of service. This issue only
affected Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. (CVE-2024-1298)
It was discovered that
OSV
edk2 vulnerabilities
osv·2025-11-26·CVSS 7.4
CVE-2023-45236 edk2 vulnerabilities
edk2 vulnerabilities
It was discovered that EDK II was susceptible to a predictable TCP Initial
Sequence Number. An attacker could possibly use this issue to gain
unauthorized access. This issue only affected Ubuntu 22.04 LTS, and Ubuntu
24.04 LTS. (CVE-2023-45236, CVE-2023-45237)
It was discovered that EDK II incorrectly handled S3 sleep. An attacker
could possibly use this issue to cause a denial of service. This issue only
affected Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. (CVE-2024-1298)
It was discovered that the EDK II PE/COFF loader incorrectly handled
certain memory operations. An attacker could possibly use this issue to
cause a denial of service, obtain sensitive information, or execute
arbitrary code. This issue only affected Ubuntu 22.04 LTS, and Ubuntu
24.04 LTS. (CVE-2024-38
GHSA
GHSA-vrrx-r38v-p3m7: ServiceNow has released upgrades and patches that address a Reflected Cross-Site scripting (XSS) vulnerability that was identified in the ServiceNow P
ghsa_unreviewed·2023-07-06
CVE-2023-1298 [MEDIUM] CWE-79 GHSA-vrrx-r38v-p3m7: ServiceNow has released upgrades and patches that address a Reflected Cross-Site scripting (XSS) vulnerability that was identified in the ServiceNow P
ServiceNow has released upgrades and patches that address a Reflected Cross-Site scripting (XSS) vulnerability that was identified in the ServiceNow Polaris Layout. This vulnerability would enable an authenticated user to inject arbitrary scripts.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-07-06
Published