CVE-2024-8924
published 2024-10-29CVE-2024-8924: ServiceNow has addressed a blind SQL injection vulnerability that was identified in the Now Platform. This vulnerability could enable an unauthenticated user…
PriorityP347high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.51%
39.5th percentile
ServiceNow has addressed a blind SQL injection vulnerability that was identified in the Now Platform. This vulnerability could enable an unauthenticated user to extract unauthorized information. ServiceNow deployed an update to hosted instances, and ServiceNow provided the update to our partners and self-hosted customers. Further, the vulnerability is addressed in the listed patches and hot fixes.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| servicenow | now_platform | < Utah Patch 10b Hot Fix 3 | Utah Patch 10b Hot Fix 3 |
| servicenow | now_platform | < Vancouver Patch 8 Hot Fix 5 | Vancouver Patch 8 Hot Fix 5 |
| servicenow | now_platform | < Vancouver Patch 9 Hot Fix 3b | Vancouver Patch 9 Hot Fix 3b |
| servicenow | now_platform | < Vancouver Patch 10 Hot Fix 2 | Vancouver Patch 10 Hot Fix 2 |
| servicenow | now_platform | < Washington DC Patch 4 Hot Fix 2b | Washington DC Patch 4 Hot Fix 2b |
| servicenow | now_platform | < Washington DC Patch 5 Hot Fix 6 | Washington DC Patch 5 Hot Fix 6 |
| servicenow | now_platform | < Washington DC Patch 6 Hot Fix 1 | Washington DC Patch 6 Hot Fix 1 |
| servicenow | now_platform | < Washington DC Patch 7 | Washington DC Patch 7 |
| servicenow | now_platform | < Xanadu Patch 1 | Xanadu Patch 1 |
| servicenow | servicenow | — | — |
| servicenow | servicenow | — | — |
| servicenow | servicenow | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-10-29
Published