Unauthenticated Information Disclosure via favorites endpoint - Known Error

Unauthenticated Information Disclosure via favorites endpoint Description Unauthenticated information can be disclosed with the 'favorites' API end point.

Steps to Reproduce

1. Navigate as an unauthenticated user to https:// .service-now.com/api/now/ui/navigator/favorites

(e.g. https://hi.service-now.com/api/now/ui/navigator/favorites)

Workaround No workaround exist for this as the functionality is working as expected.

This endpoint was designed to be accessible for non-authenticated users. It is possible to configure an instance to have 'public' modules that can be seen from the login screen and the data returned from this endpoint is this data, which is available publicly from the login screen.

The endpoint is "secured" as it only returns the information that was configured to be public and nothing else.

This is not considered a potential security issue.