[Security Advisory] CVE-2022-38463 - Cross-Site Scripting (XSS) vulnerability found on logout functionality ServiceNow Posture August, 2022 A Cross-Site Scripting (XSS) vulnerability was reported to ServiceNow by a third-party researcher. There exists a reflected XSS within the logout functionality of ServiceNow. This enables an unauthenticated remote attacker to execute arbitrary JavaScript code in the browser-based web console. To exploit this vulnerability a user must click on a maliciously crafted URL. This issue affects ServiceNow versions prior to San Diego Patch 4b and Patch 6. This issue has been fixed in San Diego Patch 6, San Diego Patch 4b, Rome Patch 10 HotFix 2, Patch 9b, and Quebec Patch 10 HotFix 7b (see table below). The best practice to remediate this issue is to upgrade your instance with the patch as soon as possible. ReleaseImpacted VersionsFixed VersionsQuebecAll VersionsQP10 HF7bRomeAll VersionsRP9b & RP10 HF2San DiegoVersions prior to SP6 (except 4b which has the fix)SP4b & SP6+TokyoN/ATokyo GA Patches have been scheduled for your instances. To view your patching schedules, open the Maintenance Calendar and expand the September 2022 Patching Program. You can adjust the patch schedule by selecting the Reschedule Action dropdown. Additional Resources ServiceNow does not endorse or share the views, positions, or claims expressed by any of the following links. They are provided solely as supplementary material. https://nvd.nist.gov/vuln/detail/CVE-2022-38463