Lucene search
K

ServiceNow ITSM Cross Site Scripting

🗓️ 12 Jun 2016 00:00:00Reported by Omkar JoshiType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 52 Views

ServiceNow ITSM Cross Site Scripting vulnerability reported in 2016 affecting ServiceNow IT Service Management with multiple attack scenarios and high severit

Code
`*Overview-----------------------------------------------------------------------------------------------------------------------*  
Vendor: ServiceNow  
Vulnerable Product: ServiceNow IT Service Management (ITSM)  
Vulnerability Type: Multiple Cross Site Scripting Vulnerability  
Vendor Homepage:  
http://www.servicenow.com/products/it-service-management.html  
CVE-ID: NA  
Severity: High  
Author: Omkar Joshi  
  
  
Vulnerability Reported: 06/02/2016  
Response From Vendor: 06/03/2016  
Vendor Confirmation: 06/03/2016  
Patch Released: Not yet  
  
  
  
*Product  
Description---------------------------------------------------------------------------------------------------------------------*  
ServiceNow ITSM solutions give you end to end visibility into your ITIL  
processes and infrastructure through a single system of record — making it  
possible to consolidate fragmented tools and legacy systems while  
automating service management processes. ServiceNow is easy to configure  
and allows you to go live quickly with confidence, while scaling to your  
business needs. With a simple and consistent approach, you increase  
efficiency, lower costs, and devote more time to innovating and delivering  
the modern, consumer‑like, self‑service experience your employees expect.  
  
  
  
  
  
*Proof Of Concept  
URL-----------------------------------------------------------------------------------------------------------------------Stored  
Cross Site Scritping ->*https://XXX.service-now.com/navpage.do (My Profile)  
https://XXX.service-now.com/XXX_ess/home.do?sysparm_cancelable=true (My  
Portal)  
  
*Reflected Cross Site Scripting ->*  
https://XXX.service-now.com/XXX_ess/search_results.do?sysparm_search= (My  
Portal Search Bar)  
  
*Credits & Authors*  
------------------------------------------------------------------------------------------------------------------  
  
Omkar Joshi  
  
*Steps to Reproduce:*  
  
  
*Attack Scenario: Stored Cross Site Scripting*  
  
Step 1. Login into ServiceNow  
Step 2: Go to My Profile.  
Step 3: Insert XSS payload in "First Name" & "Last Name" parameter of My  
Profile.  
I have used "><img src=x onerror=prompt(1);> and "><img src=x  
onerror=prompt(document.cookie);> XSS payload  
Step 4: Then click on Update  
Step 5: Whenever anyone try to visit dashboard or navigate pages of  
ServiceNow XSS Script will get execute.  
  
  
*Attack Scenario: Reflected Cross Site Scripting*Step 1. Login into  
ServiceNow  
Step 2: Go to My Portal.  
Step 3: Insert XSS payload in "Search" bar of My Portal.  
I have used "><img src=x onerror=prompt("XSS");> and "><img src=x  
onerror=prompt(1);> XSS payload  
Step 4: Then click on Search, XSS Script will get execute.  
  
*Impact of attack:* An attack can perform Cross Site Scripting attack and  
steal the cookie of other active sessions. An attacker would exploit a  
vulnerability within a website or web application that the victim would  
visit, essentially using the vulnerable website as a vehicle to deliver a  
malicious script to the victim’s browser.  
An attacker might be able to put stored XSS into the website.  
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)  
  
*Recommendation:* Use an appropriate combination of white listing and  
blacklisting to ensure only valid and expected input is processed by the  
system. Furthermore, classes within the output tag libraries should also be  
modified to encode potentially dangerous characters with their HTML escape  
Counter parts.  
  
For more information refer the following link  
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

12 Jun 2016 00:00Current
7.4High risk
Vulners AI Score7.4
52