ServiceNow AI Platform Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the ServiceNow AI Platform. This issue allows for arbitrary code execution in the browsers of users who click on a specially crafted link. ServiceNow has deployed security updates to most hosted instances and has made updates available for self-hosted customers, partners, and those with unique configurations. The vulnerability is also addressed in specific patches and hot fixes.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute arbitrary code in the context of the user's browser.

Remediation

ServiceNow has released security patches for this vulnerability. Hosted customers have already received the update, while self-hosted customers, partners, and those with unique configurations can access the patch through the ServiceNow support portal. Specific patch details can be found in the ServiceNow knowledge base article KB2552837.