[Security Advisory] CVE-2022-38172 - Cross-Site Scripting (XSS) vulnerability in the Performance Analytics dashboard ServiceNow Posture August, 2022 A Cross-Site Scripting (XSS) vulnerability was reported to ServiceNow by a third-party researcher. The XSS is contained within the Performance Analytics dashboard. A low privilege user can create a new dashboard with a maliciously crafted payload in the "name" field. Once the dashboard has been created, the attacker is able to execute an XSS payload using a specially crafted URL on the dashboard just created. This issue affects ServiceNow versions San Diego Patch 4 and lower. This issue has been fixed in San Diego Patch 5, Rome Patch 10 HotFix 1, and Quebec Patch 10 HotFix 6b. The best practice to remediate this issue is to upgrade your instance with the patch as soon as possible. Additional Resources ServiceNow does not endorse or share the views, positions, or claims expressed by any of the following links. They are provided solely as supplementary material. https://nvd.nist.gov/vuln/detail/CVE-2022-38172