Description
**Description:**
During my research, I found one of the host running ServiceNow vulnerable to CVE-2022-38463 . ServiceNow through San Diego Patch 4b and Patch 6 allows reflected XSS in the logout functionality.
## Impact
Attacker is able to steal victims cookies, redirect victim to attacker controlled domain, and perform various malicious activities.
## System Host(s)
███
## Affected Product(s) and Version(s)
## CVE Numbers
## Steps to Reproduce
1.Enter the following crafted URL in any web-browser.
https://█████████/logout_redirect.do?sysparm_url=//j%5c%5cjavascript%3aalert(document.domain)
2. XSS will be triggered.
## Suggested Mitigation/Remediation Actions
Related
{"id": "H1:1681208", "vendorId": null, "type": "hackerone", "bulletinFamily": "bugbounty", "title": "U.S. Dept Of Defense: XSS DUE TO CVE-2022-38463 in https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588", "description": "**Description:**\nDuring my research, I found one of the host running ServiceNow vulnerable to CVE-2022-38463 . ServiceNow through San Diego Patch 4b and Patch 6 allows reflected XSS in the logout functionality.\n\n## Impact\n\nAttacker is able to steal victims cookies, redirect victim to attacker controlled domain, and perform various malicious activities.\n\n## System Host(s)\n\u2588\u2588\u2588\n\n## Affected Product(s) and Version(s)\n\n\n## CVE Numbers\n\n\n## Steps to Reproduce\n1.Enter the following crafted URL in any web-browser.\n\nhttps://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/logout_redirect.do?sysparm_url=//j%5c%5cjavascript%3aalert(document.domain)\n\n2. XSS will be triggered.\n\n## Suggested Mitigation/Remediation Actions\n\n\n", "published": "2022-08-26T11:00:51", "modified": "2022-09-14T20:30:36", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://hackerone.com/reports/1681208", "reporter": "shuvam321", "references": [], "cvelist": ["CVE-2022-38463"], "immutableFields": [], "lastseen": "2023-02-03T02:25:01", "viewCount": 45, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2022-38463"]}, {"type": "nessus", "idList": ["WEB_APPLICATION_SCANNING_113341"]}]}, "score": {"value": 1.6, "vector": "NONE"}, "epss": [{"cve": "CVE-2022-38463", "epss": "0.001060000", "percentile": "0.415060000", "modified": "2023-03-19"}], "vulnersScore": 1.6}, "_state": {"dependencies": 1675392618, "score": 1675392679, "epss": 1679305952}, "_internal": {"score_hash": "73841a26a887e4f872456687237792a6"}, "bounty": 0.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/deptofdefense", "handle": "deptofdefense", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/016/064/46cd0286b1fa224aaa2cb9dfaaca9fa22b5b80b2_original.png/363a6db6e9457491cded7d2812f94ec0b47eaf5e7109e90ea24882bcff798a49", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/016/064/46cd0286b1fa224aaa2cb9dfaaca9fa22b5b80b2_original.png/e60fe2d979b041d2254f8a36a3d2d7a24d7c4a8ad33ea024d13fc56668c7c4f6"}}, "h1reporter": {"disabled": false, "username": "shuvam321", "url": "/shuvam321", "is_me?": false, "cleared": false, "hackerone_triager": false, "hacker_mediation": false}}
{"nessus": [{"lastseen": "2023-01-10T19:27:43", "description": "ServiceNow versions prior to San Diego Patch 4b and Patch 6 are affected by a reflected XSS within the logout functionality. This may permit a remote unauthenticated attacker to execute arbitrary JavaScript code in the browser context of the targeted ServiceNow user.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-09-06T00:00:00", "type": "nessus", "title": "ServiceNow Logout Cross-Site Scripting", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-38463"], "modified": "2022-12-19T00:00:00", "cpe": ["cpe:2.3:a:servicenow:servicenow:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_113341", "href": "https://www.tenable.com/plugins/was/113341", "sourceData": "No source data", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2023-02-09T14:38:47", "description": "ServiceNow through San Diego Patch 4b and Patch 6 allows reflected XSS in the logout functionality.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-08-23T19:15:00", "type": "cve", "title": "CVE-2022-38463", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-38463"], "modified": "2022-08-26T19:18:00", "cpe": ["cpe:/a:servicenow:servicenow:san_diego"], "id": "CVE-2022-38463", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38463", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:a:servicenow:servicenow:san_diego:patch_4a:*:*:*:*:*:*", "cpe:2.3:a:servicenow:servicenow:san_diego:patch_6:*:*:*:*:*:*", "cpe:2.3:a:servicenow:servicenow:san_diego:patch_4:*:*:*:*:*:*"]}]}
U.S. Dept Of Defense: XSS DUE TO CVE-2022-38463 in https://████████
