[Security Advisory] CVE-2022-42704 - Cross-Site Scripting in Service Catalog Widget<!-- .SOKMKBArticle table.landingTable{ background: #283d40; width: 100%; border: 1px solid; border-color: #283d40; border-spacing:1px; } .SOKMKBArticle .header { background: #ffffff; padding: 15px 10px 10px 10px; margin: 30px 25px 0px 25px; width: 100%; border: 2px solid; border-color:#283d40; border-radius: 3px; text-align: center; } .SOKMKBArticle .footer2 { background: #ffffff; padding: 0px 10px 20px 10px; width: 100%; border: 2px solid; border-color:#283d40; border-radius: 3px; } .SOKMKBArticle .section { display: inline-block; border-radius: 3px; padding: 10px 10px 10px 10px; } .SOKMKBArticle .sop { background: #ffffff; padding: 5px 10px 10px 10px; margin: 5px 5px 5px 5px; height: 300px; border: 2px solid; border-radius: 3px; vertical-align: top; } .SOKMKBArticle .cwf { background: #ffffff; padding: 5px 10px 10px 10px; margin: 5px 5px 5px 5px; height: 100px; border: 2px solid; border-radius: 3px; vertical-align: top; } .SOKMKBArticle .rnr { background: #ffffff; padding: 5px 10px 10px 10px; margin: 5px 5px 5px 5px; height: 200px; width: 830px; border: 2px solid; border-radius: 3px; } .SOKMKBArticle .faq { background: #ffffff; padding: 5px 10px 10px 10px; margin: 5px 5px 5px 5px; height: 200px; width: 100%; border: 2px solid; border-radius: 3px; } .SOKMKBArticle .training { width: 100%; padding: 10px 5px 10px 5px; background-color: #b0e1ce; border: 1px solid; border-color: #81b5a1; } .SOKMKBArticle .training1 { width: 100%; padding: 10px 5px 10px 5px; background-color: #68a1af; border: 3px solid; border-color: #283d40; } .SOKMKBArticle .training2 { width: 100%; padding: 10px 5px 10px 5px; background-color: #fbd0b3; border: 3px solid; border-color: #ff924e; } .SOKMKBArticle .training3 { width: 100%; padding: 10px 5px 10px 5px; background-color: #e1eeea; border: 3px solid; border-color: #81b5a1; } .SOKMKBArticle .training4 { width: 100%; padding: 10px 5px 10px 5px; background-color: #dcf8ed; border: 3px solid; border-color: #64ddac; } .SOKMKBArticle .changetype { padding: 5px 5px 5px 15px; margin-top: 5px; background-color: #f5f9f7; border: 1px solid; border-color: #81b5a1; border-radius: 10px; } .SOKMKBArticle .button { padding: 5px 5px 5px 15px; margin-top: 5px; color: #ffffff; background-color: #ff924e; border: 1px solid; border-color: #cc4e00; border-radius: 10px; } .SOKMKBArticle div.margin{ padding: 10px 40px 40px 30px; color: #283d40; font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; font-size: 10pt; } .SOKMKBArticle div.margin2{ margin: 10px 10px 10px 10px; color: #283d40; font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; font-size: 10pt; border: 40px solid; border-color: #283d40; } .SOKMKBArticle div.fed{ background-color: #f5f8fa; border: 1px solid; border-color: #bfbfbf; padding: 10px; } .SOKMKBArticle .FedRestricted{ background-color: #c00000; color: #ffffff; padding: 10px; margin-top: 10px; text-align: center; font-size: 14pt; font-weight: bold; } .SOKMKBArticle .CustRestricted{ background-color: #ff0000; color: #ffffff; padding: 10px; margin-top: 10px; text-align: center; font-size: 14pt; font-weight: bold; } .SOKMKBArticle .SNRestricted{ background-color: #ea700d; color: #ffffff; padding: 10px; margin-top: 10px; text-align: center; font-size: 14pt; font-weight: bold; } .SOKMKBArticle .SNConfidential{ background-color: #ffc000; color: #ffffff; padding: 10px; margin-top: 10px; text-align: center; font-size: 14pt; font-weight: bold; } .SOKMKBArticle .Public{ background-color: #00b050; color: #ffffff; padding: 10px; margin-top: 10px; text-align: center; font-size: 14pt; font-weight: bold; } .SOKMKBArticle table.tocTable{ border: 1px solid; border-color:#f2f2f2; background-color: #f2f2f2; padding-top: .6em; padding-bottom: .6em; padding-left: .9em; padding-right: .6em; } .SOKMKBArticle table.noteTable{ align: left; border: none; border-color: #81b5a1; background-color: #f2f2f2; width: 100%; border-spacing:2; font-size:12px; } .SOKMKBArticle table.internalTable{ border-top: 1px solid; border-left: 1px solid; border-color:#81b5a1; width: 100%; border-spacing:1px; } .SOKMKBArticle .sp td{ border-bottom: 1px solid; border-right: 1px solid; border-color: #81b5a1; background-color: #ffffff; height: 20px; padding-top: .5em; padding-bottom: .5em; padding-left: .5em; padding-right: .5em; } .SOKMKBArticle .sphr td{ border-right: 1px solid; border-bottom: 1px solid; border-color: #81b5a1; background-color: rgb(245, 245, 245); padding-top: .5em; padding-bottom: .5em; padding-left: .5em; padding-right: .5em; height: 20px; } .SOKMKBArticle .sh td{ border-bottom: 1px solid; border-right: 1px solid; border-color:#81b5a1; background-color: #81b5a1; color: #ffffff; height: 20px; padding-top: .5em; padding-bottom: .5em; padding-left: .5em; padding-right: .5em; } .SOKMKBArticle th { padding-top: .5em; padding-bottom: .5em; padding-left: .5em; padding-right: .5em; border-bottom: 1px solid; border-right: 1px solid; border-color:#81b5a1; background-color: #283d40; font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; font-size: 10pt; color: #ffffff; height: 20px; } .SOKMKBArticle td { border-color:#81b5a1; font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; font-size: 10pt; color: #283d40; } .SOKMKBArticle p { color: #283d40; font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; } .SOKMKBArticle li { color: #283d40; font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; font-size: 10pt; line-height: 1.5; } .SOKMKBArticle pre { font-family: Courier New; } .SOKMKBArticle div { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; } .SOKMKBArticle hr { border-top-width: 1px; border-top-style: solid; border-top-color: #81b5a1; } .SOKMKBArticle a { color: #81b5a1; } .SOKMKBArticle a.two:link { padding: 15px 45px 15px 45px; margin-top: 20px; color: #ffffff; text-align: center; background-color: #81b5a1; border: 1px solid; border-color: #81b5a1; } .SOKMKBArticle a.two:visited { padding: 15px 45px 15px 45px; margin-top: 20px; color: #ffffff; text-align: center; background-color: #81b5a1; border: 1px solid; border-color: #81b5a1; } .SOKMKBArticle a.two:hover { color: #ffffff; background-color: #259b8a; } .SOKMKBArticle a.three:link { padding: 15px 45px 15px 45px; margin-top: 20px; color: #ffffff; text-align: center; background-color: #283d40; border: 2px solid; border-color: #81b5a1; } .SOKMKBArticle a.three:visited { padding: 15px 45px 15px 45px; margin-top: 20px; color: #ffffff; text-align: center; background-color: #283d40; border: 2px solid; border-color: #81b5a1; } .SOKMKBArticle a.three:hover { color: #283d40; background-color: #81b5a1; border: 2px solid; border-color: #81b5a1; } .SOKMKBArticle a.four:link { padding: 15px 45px 15px 45px; margin-top: 20px; color: #283d40; text-align: center; background-color: #ffffff; border: 2px solid; border-color: #81b5a1; } .SOKMKBArticle a.four:visited { padding: 15px 45px 15px 45px; margin-top: 20px; color: #283d40; text-align: center; background-color: #ffffff; border: 2px solid; border-color: #81b5a1; } .SOKMKBArticle a.four:hover { color: #ffffff; background-color: #259b8a; border: 2px solid; border-color: #259b8a; } .SOKMKBArticle a.five:link { padding: 15px 45px 15px 45px; margin-top: 20px; color: #283d40; text-align: center; background-color: #ffffff; border: 2px solid; border-color: #64ddac; } .SOKMKBArticle a.five:visited { padding: 15px 45px 15px 45px; margin-top: 20px; color: #283d40; text-align: center; background-color: #ffffff; border: 2px solid; border-color: #64ddac; } .SOKMKBArticle a.five:hover { color: #283d40; background-color: #28b980; border: 2px solid; border-color: #28b980; } .SOKMKBArticle a.six:link { padding: 15px 45px 15px 45px; margin-top: 20px; color: #283d40; text-align: center; background-color: #64ddac; border: 2px solid; border-color: #64ddac; } .SOKMKBArticle a.six:visited { padding: 15px 45px 15px 45px; margin-top: 20px; color: #283d40; text-align: center; background-color: #ffffff; border: 2px solid; border-color: #81b5a1; } .SOKMKBArticle a.six:hover { color: #283d40; background-color: #28b980; border: 2px solid; border-color: #28b980; } .SOKMKBArticle a.seven:link { padding: 15px 45px 15px 45px; margin-top: 20px; color: #283d40; text-align: center; background-color: #ffffff; border: 2px solid; border-color: #283d40; } .SOKMKBArticle a.seven:visited { padding: 15px 45px 15px 45px; margin-top: 20px; color: #283d40; text-align: center; background-color: #ffffff; border: 2px solid; border-color: #283d40; } .SOKMKBArticle a.seven:hover { color: #283d40; background-color: #c8dbdd; border: 2px solid; border-color: #283d40; } .SOKMKBArticle a.eight:link { padding: 15px 45px 15px 45px; margin-top: 20px; color: #ffffff; text-align: center; background-color: #283d40; border: 2px solid; border-color: #283d40; } .SOKMKBArticle a.eight:visited { padding: 15px 45px 15px 45px; margin-top: 20px; color: #ffffff; text-align: center; background-color: #283d40; border: 2px solid; border-color: #283d40; } .SOKMKBArticle a.eight:hover { color: #283d40; background-color: #c8dbdd; border: 2px solid; border-color: #283d40; } .SOKMKBArticle a.nine:link { padding: 15px 45px 15px 45px; margin-top: 20px; color: #283d40; text-align: center; background-color: #ffffff; border: 2px solid; border-color: #ff924e; } .SOKMKBArticle a.nine:visited { padding: 15px 45px 15px 45px; margin-top: 20px; color: #283d40; text-align: center; background-color: #ffffff; border: 2px solid; border-color: #ff924e; } .SOKMKBArticle a.nine:hover { color: #ffffff; background-color: #933700; border: 2px solid; border-color: #933700; } .SOKMKBArticle a.ten:link { padding: 15px 45px 15px 45px; margin-top: 20px; color: #283d40; text-align: center; background-color: #ff924e; border: 2px solid; border-color: #ff924e; } .SOKMKBArticle a.ten:visited { padding: 15px 45px 15px 45px; margin-top: 20px; color: #283d40; text-align: center; background-color: #ff924e; border: 2px solid; border-color: #ff924e; } .SOKMKBArticle a.ten:hover { color: #ffffff; background-color: #933700; border: 2px solid; border-color: #933700; } .SOKMKBArticle .button { padding: 15px 45px 15px 45px; margin-top: 20px; color: #ffffff; text-align: center; background-color: #1F8476; border: 1px solid; border-color: #1F8476; } .SOKMKBArticle .title { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #81b5a1; font-size: 30pt; } .SOKMKBArticle .hd1{ font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-size: 20pt; border-bottom: 1px solid; border-bottom-color: #81b5a1; text-decoration: none; } .SOKMKBArticle h1 { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-size: 20pt; font-weight: normal; border-bottom: 1px solid; border-bottom-color: #81b5a1; text-decoration: none; } .SOKMKBArticle .hd2{ font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #68a1af; font-weight:bold; font-size: 16pt; text-decoration: none; } .SOKMKBArticle h2 { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #68a1af; font-weight:bold; font-size: 16pt; font-weight: normal; text-decoration: none; } .SOKMKBArticle .hd3{ font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-weight: normal; font-size:14pt; text-decoration: none; } .SOKMKBArticle h3 { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-weight: normal; font-size:14pt; text-decoration: none; } .SOKMKBArticle .hd4{ font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-weight: normal; font-size: 12pt; text-decoration: none; } .SOKMKBArticle h4 { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-weight: normal; font-size: 12pt; text-decoration: none; } .SOKMKBArticle .SOKMKBArticle .hd5{ font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-weight: bold; font-size: 10pt; text-decoration: bold; } .SOKMKBArticle h5 { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-weight: bold; font-size: 10pt; text-decoration: bold; } .SOKMKBArticle .hd6{ font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-weight: normal; font-size: 10pt; text-decoration: underline; } .SOKMKBArticle h6 { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-weight: normal; font-size: 10pt; text-decoration: underline; } .SOKMKBArticle details { font-size: 10pt; } .SOKMKBArticle details[open] summary ~ * { animation: sweep .5s; } @keyframes sweep { 0% {opacity: 0; margin-top: -10px} 100% {opacity: 1; margin-top: 0px} } .SOKMKBArticle summary { cursor: pointer; outline: none; } .SOKMKBArticle .summary { background-color: #81b5a1; font-size: 10px; color: white; cursor: pointer; padding: 5px; width: 100%; border: none; text-align: left; outline: none; vertical-align: top; } --> ServiceNow Posture January, 2023 A Cross-Site Scripting (XSS) vulnerability has been discovered and subsequently patched by ServiceNow. There is a stored XSS vulnerability within the "Standard Ticket Conversations" widget in the ServiceNow platform. This vulnerability enables attackers with access to the affected widget to submit arbitrary javascript that is executed by other users who access the affected resource later. The best practice to remediate this issue is to upgrade your instance with the patch as soon as possible AND ensure any customizations to that widget have been reverted. This issue affects ServiceNow versions prior to Rome Patch 5 and San Diego Patch 1. This issue has been fixed in these versions and below: ReleaseImpacted VersionsFixed VersionsQuebecAll VersionsQP10HF3bRomeVersions prior to RP5RP7b and RP9San DiegoVersions prior to SP1SP1HF1b and SP3TokyoN/ATokyo If you have further questions regarding this issue, please submit a Support Case. Additional Resources For more information, please visit KB1196914 (NowSupport login required) ServiceNow does not endorse or share the views, positions, or claims expressed by any of the following links. They are provided solely as supplementary material. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42704