Lucene search

SNCVELIST:CVE-2022-46886

HistoryApr 14, 2023 - 12:00 a.m.

CVE-2022-46886

2023-04-1400:00:00

www.cve.org

servicenow

open redirect

response list update

functionality

security vulnerability

cve-2022-46886

5.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

0.0005 Low

EPSS

Percentile

18.2%

JSON

There exists an open redirect within the response list update functionality of ServiceNow. This allows attackers to redirect users to arbitrary domains when clicking on a URL within a service-now domain.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "ServiceNow",
    "vendor": "ServiceNow",
    "versions": [
      {
        "changes": [
          {
            "at": "Tokyo Patch 3",
            "status": "unaffected"
          }
        ],
        "lessThan": "Tokyo Patch 1b",
        "status": "affected",
        "version": "Tokyo",
        "versionType": "custom"
      },
      {
        "changes": [
          {
            "at": "San Diego Patch 9",
            "status": "unaffected"
          }
        ],
        "lessThan": "San Diego Patch 7b",
        "status": "affected",
        "version": "San Diego",
        "versionType": "custom"
      },
      {
        "changes": [
          {
            "at": "Rome Patch 10 Hotfix 3b",
            "status": "unaffected"
          }
        ],
        "lessThan": "Rome Patch 10 Hotfix 2b",
        "status": "affected",
        "version": "Rome",
        "versionType": "custom"
      },
      {
        "lessThan": "Quebec Patch 10 Hotfix 10b",
        "status": "affected",
        "version": "Quebec",
        "versionType": "custom"
      }
    ]
  }
]

References

support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1219857