Servicenow Now Platform vulnerabilities
11 known vulnerabilities affecting servicenow/now_platform.
Total CVEs
11
CISA KEV
2
actively exploited
Public exploits
3
Exploited in wild
3
Severity breakdown
CRITICAL3HIGH2MEDIUM6
Vulnerabilities
Page 1 of 1
CVE-2024-4879P1CRITICALCVSS 9.8KEVPoCfixed in Utah Patch 10 Hot Fix 3fixed in Utah Patch 10a Hot Fix 2+9 more2024-07-10
CVE-2024-4879 [CRITICAL] CWE-1287 CVE-2024-4879: ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Wash
ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow applied an update to hosted instances, and ServiceNow released the update to our part
nvd
CVE-2024-5217P1CRITICALCVSS 9.8KEVPoCfixed in Utah Patch 10 Hot Fix 3fixed in Utah Patch 10a Hot Fix 2+11 more2024-07-10
CVE-2024-5217 [CRITICAL] CWE-184 CVE-2024-5217: ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC,
ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. The vulnerability is addressed in the listed patches and hot fixes below, which wer
nvd
CVE-2024-5178P2MEDIUMCVSS 4.9Exploitedfixed in Utah Patch 10 Hot Fix 3fixed in Utah Patch 10a Hot Fix 2+10 more2024-07-10
CVE-2024-5178 [MEDIUM] CWE-184 CVE-2024-5178: ServiceNow has addressed a sensitive file read vulnerability that was identified in the Washington D
ServiceNow has addressed a sensitive file read vulnerability that was identified in the Washington DC, Vancouver, and Utah Now Platform releases. This vulnerability could allow an administrative user to gain unauthorized access to sensitive files on the web application server. The vulnerability is addressed in the listed patches and hot fixes, which w
nvd
CVE-2024-8923P2CRITICALCVSS 10.0fixed in Vancouver Patch 9 Hot Fix 2afixed in Vancouver Patch 10+3 more2024-10-29
CVE-2024-8923 [CRITICAL] CWE-94 CVE-2024-8923: ServiceNow has addressed an input validation vulnerability that was identified in the Now Platform.
ServiceNow has addressed an input validation vulnerability that was identified in the Now Platform. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow deployed an update to hosted instances and ServiceNow provided the update to our partners and self-hosted customers. Furt
nvd
CVE-2022-39048P3MEDIUMCVSS 6.1PoC≥ Tokyo, < Patch 1a≥ San Diego, < Patch 7b+2 more2023-04-10
CVE-2022-39048 [MEDIUM] CWE-79 CVE-2022-39048: A XSS vulnerability was identified in the ServiceNow UI page assessment_redirect. To exploit this vu
A XSS vulnerability was identified in the ServiceNow UI page assessment_redirect. To exploit this vulnerability, an attacker would need to persuade an authenticated user to click a maliciously crafted URL. Successful exploitation potentially could be used to conduct various client-side attacks, including, but not limited to, phishing, redirection, th
nvd
CVE-2025-3648P3HIGHCVSS 8.2vAspen2025-07-08
CVE-2025-3648 [HIGH] CWE-1220 CVE-2025-3648: A vulnerability has been identified in the Now Platform that could result in data being inferred wit
A vulnerability has been identified in the Now Platform that could result in data being inferred without authorization. Under certain conditional access control list (ACL) configurations, this vulnerability could enable unauthenticated and authenticated users to use range query requests to infer instance data that is not intended to be accessible to th
nvd
CVE-2024-8924P3HIGHCVSS 7.5fixed in Utah Patch 10b Hot Fix 3fixed in Vancouver Patch 8 Hot Fix 5+7 more2024-10-29
CVE-2024-8924 [HIGH] CWE-89 CVE-2024-8924: ServiceNow has addressed a blind SQL injection vulnerability that was identified in the Now Platform
ServiceNow has addressed a blind SQL injection vulnerability that was identified in the Now Platform. This vulnerability could enable an unauthenticated user to extract unauthorized information. ServiceNow deployed an update to hosted instances, and ServiceNow provided the update to our partners and self-hosted customers. Further, the vulnerability is ad
nvd
CVE-2022-43684P3MEDIUMCVSS 6.5≥ Quebec, < Patch 10 Hot Fix 8b≥ Rome, < Patch 10 Hot Fix 1+3 more2023-06-13
CVE-2022-43684 [MEDIUM] CWE-200 CVE-2022-43684: ServiceNow has released patches and an upgrade that address an Access Control List (ACL) bypass issu
ServiceNow has released patches and an upgrade that address an Access Control List (ACL) bypass issue in ServiceNow Core functionality.
Additional Details
This issue is present in the following supported ServiceNow releases:
* Quebec prior to Patch 10 Hot Fix 8b
* Rome prior to Patch 10 Hot Fix 1
* San Diego prior to Patch 7
* Tokyo prior to To
nvd
CVE-2025-0337P3MEDIUMCVSS 6.5fixed in Washington DC Patch 9fixed in Xanadu Patch 4+1 more2025-03-06
CVE-2025-0337 [MEDIUM] CWE-639 CVE-2025-0337: ServiceNow has addressed an authorization bypass vulnerability that was identified in the Washington
ServiceNow has addressed an authorization bypass vulnerability that was identified in the Washington release of the Now Platform. This vulnerability, if exploited, potentially could enable an authenticated user to access unauthorized data stored within the Now Platform that the user otherwise would not be entitled to access.
This issue is addressed i
nvd
CVE-2022-46389P4MEDIUMCVSS 6.1≥ Quebec, < Patch 10 Hotfix 11b≥ Rome, < Patch 10 Hotfix 3b+3 more2023-04-17
CVE-2022-46389 [MEDIUM] CWE-79 CVE-2022-46389: There exists a reflected XSS within the logout functionality of ServiceNow versions lower than Quebe
There exists a reflected XSS within the logout functionality of ServiceNow versions lower than Quebec Patch 10 Hotfix 11b, Rome Patch 10 Hotfix 3b, San Diego Patch 9, Tokyo Patch 4, and Utah GA. This enables an unauthenticated remote attacker to execute arbitrary JavaScript code in the browser-based web console.
nvd
CVE-2024-5890P4MEDIUMCVSS 4.3fixed in Utah Patch 8 Hot Fix 1fixed in Vancouver Patch 10+2 more2024-12-02
CVE-2024-5890 [MEDIUM] CWE-79 CVE-2024-5890: ServiceNow has addressed an HTML injection vulnerability that was identified in the Now Platform. Th
ServiceNow has addressed an HTML injection vulnerability that was identified in the Now Platform. This vulnerability could potentially enable an unauthenticated user to modify a web page or redirect users to another website.
ServiceNow released updates to customers that addressed this vulnerability. If you have not done so already, we recommend applyi
nvd