CVE-2023-1298 - Cross-Site Scripting (XSS) vulnerability in the NOW User Experience <!-- .SOKMKBArticle table.landingTable{ background: #283d40; width: 100%; border: 1px solid; border-color: #283d40; border-spacing:1px; } .SOKMKBArticle .header { background: #ffffff; padding: 15px 10px 10px 10px; margin: 30px 25px 0px 25px; width: 100%; border: 2px solid; border-color:#283d40; border-radius: 3px; text-align: center; } .SOKMKBArticle .footer2 { background: #ffffff; padding: 0px 10px 20px 10px; width: 100%; border: 2px solid; border-color:#283d40; border-radius: 3px; } .SOKMKBArticle .section { display: inline-block; border-radius: 3px; padding: 10px 10px 10px 10px; } .SOKMKBArticle .sop { background: #ffffff; padding: 5px 10px 10px 10px; margin: 5px 5px 5px 5px; height: 300px; border: 2px solid; border-radius: 3px; vertical-align: top; } .SOKMKBArticle .cwf { background: #ffffff; padding: 5px 10px 10px 10px; margin: 5px 5px 5px 5px; height: 100px; border: 2px solid; border-radius: 3px; vertical-align: top; } .SOKMKBArticle .rnr { background: #ffffff; padding: 5px 10px 10px 10px; margin: 5px 5px 5px 5px; height: 200px; width: 830px; border: 2px solid; border-radius: 3px; } .SOKMKBArticle .faq { background: #ffffff; padding: 5px 10px 10px 10px; margin: 5px 5px 5px 5px; height: 200px; width: 100%; border: 2px solid; border-radius: 3px; } .SOKMKBArticle .training { width: 100%; padding: 10px 5px 10px 5px; background-color: #b0e1ce; border: 1px solid; border-color: #81b5a1; } .SOKMKBArticle .training1 { width: 100%; padding: 10px 5px 10px 5px; background-color: #68a1af; border: 3px solid; border-color: #283d40; } .SOKMKBArticle .training2 { width: 100%; padding: 10px 5px 10px 5px; background-color: #fbd0b3; border: 3px solid; border-color: #ff924e; } .SOKMKBArticle .training3 { width: 100%; padding: 10px 5px 10px 5px; background-color: #e1eeea; border: 3px solid; border-color: #81b5a1; } .SOKMKBArticle .training4 { width: 100%; padding: 10px 5px 10px 5px; background-color: #dcf8ed; border: 3px solid; border-color: #64ddac; } .SOKMKBArticle .changetype { padding: 5px 5px 5px 15px; margin-top: 5px; background-color: #f5f9f7; border: 1px solid; border-color: #81b5a1; border-radius: 10px; } .SOKMKBArticle .button { padding: 5px 5px 5px 15px; margin-top: 5px; color: #ffffff; background-color: #ff924e; border: 1px solid; border-color: #cc4e00; border-radius: 10px; } .SOKMKBArticle div.margin{ padding: 10px 40px 40px 30px; color: #283d40; font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; font-size: 10pt; } .SOKMKBArticle div.margin2{ margin: 10px 10px 10px 10px; color: #283d40; font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; font-size: 10pt; border: 40px solid; border-color: #283d40; } .SOKMKBArticle div.fed{ background-color: #f5f8fa; border: 1px solid; border-color: #bfbfbf; padding: 10px; } .SOKMKBArticle .FedRestricted{ background-color: #c00000; color: #ffffff; padding: 10px; margin-top: 10px; text-align: center; font-size: 14pt; font-weight: bold; } .SOKMKBArticle .CustRestricted{ background-color: #ff0000; color: #ffffff; padding: 10px; margin-top: 10px; text-align: center; font-size: 14pt; font-weight: bold; } .SOKMKBArticle .SNRestricted{ background-color: #ea700d; color: #ffffff; padding: 10px; margin-top: 10px; text-align: center; font-size: 14pt; font-weight: bold; } .SOKMKBArticle .SNConfidential{ background-color: #ffc000; color: #ffffff; padding: 10px; margin-top: 10px; text-align: center; font-size: 14pt; font-weight: bold; } .SOKMKBArticle .Public{ background-color: #00b050; color: #ffffff; padding: 10px; margin-top: 10px; text-align: center; font-size: 14pt; font-weight: bold; } .SOKMKBArticle table.tocTable{ border: 1px solid; border-color:#f2f2f2; background-color: #f2f2f2; padding-top: .6em; padding-bottom: .6em; padding-left: .9em; padding-right: .6em; } .SOKMKBArticle table.noteTable{ align: left; border: none; border-color: #81b5a1; background-color: #f2f2f2; width: 100%; border-spacing:2; font-size:12px; } .SOKMKBArticle table.internalTable{ border-top: 1px solid; border-left: 1px solid; border-color:#81b5a1; width: 100%; border-spacing:1px; } .SOKMKBArticle .sp td{ border-bottom: 1px solid; border-right: 1px solid; border-color: #81b5a1; background-color: #ffffff; height: 20px; padding-top: .5em; padding-bottom: .5em; padding-left: .5em; padding-right: .5em; } .SOKMKBArticle .sphr td{ border-right: 1px solid; border-bottom: 1px solid; border-color: #81b5a1; background-color: rgb(245, 245, 245); padding-top: .5em; padding-bottom: .5em; padding-left: .5em; padding-right: .5em; height: 20px; } .SOKMKBArticle .sh td{ border-bottom: 1px solid; border-right: 1px solid; border-color:#81b5a1; background-color: #81b5a1; color: #ffffff; height: 20px; padding-top: .5em; padding-bottom: .5em; padding-left: .5em; padding-right: .5em; } .SOKMKBArticle th { padding-top: .5em; padding-bottom: .5em; padding-left: .5em; padding-right: .5em; border-bottom: 1px solid; border-right: 1px solid; border-color:#81b5a1; background-color: #283d40; font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; font-size: 10pt; color: #ffffff; height: 20px; } .SOKMKBArticle td { border-color:#81b5a1; font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; font-size: 10pt; color: #283d40; } .SOKMKBArticle p { color: #283d40; font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; } .SOKMKBArticle li { color: #283d40; font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; font-size: 10pt; line-height: 1.5; } .SOKMKBArticle pre { font-family: Courier New; } .SOKMKBArticle div { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; } .SOKMKBArticle hr { border-top-width: 1px; border-top-style: solid; border-top-color: #81b5a1; } .SOKMKBArticle a { color: #81b5a1; } .SOKMKBArticle a.two:link { padding: 15px 45px 15px 45px; margin-top: 20px; color: #ffffff; text-align: center; background-color: #81b5a1; border: 1px solid; border-color: #81b5a1; } .SOKMKBArticle a.two:visited { padding: 15px 45px 15px 45px; margin-top: 20px; color: #ffffff; text-align: center; background-color: #81b5a1; border: 1px solid; border-color: #81b5a1; } .SOKMKBArticle a.two:hover { color: #ffffff; background-color: #259b8a; } .SOKMKBArticle a.three:link { padding: 15px 45px 15px 45px; margin-top: 20px; color: #ffffff; text-align: center; background-color: #283d40; border: 2px solid; border-color: #81b5a1; } .SOKMKBArticle a.three:visited { padding: 15px 45px 15px 45px; margin-top: 20px; color: #ffffff; text-align: center; background-color: #283d40; border: 2px solid; border-color: #81b5a1; } .SOKMKBArticle a.three:hover { color: #283d40; background-color: #81b5a1; border: 2px solid; border-color: #81b5a1; } .SOKMKBArticle a.four:link { padding: 15px 45px 15px 45px; margin-top: 20px; color: #283d40; text-align: center; background-color: #ffffff; border: 2px solid; border-color: #81b5a1; } .SOKMKBArticle a.four:visited { padding: 15px 45px 15px 45px; margin-top: 20px; color: #283d40; text-align: center; background-color: #ffffff; border: 2px solid; border-color: #81b5a1; } .SOKMKBArticle a.four:hover { color: #ffffff; background-color: #259b8a; border: 2px solid; border-color: #259b8a; } .SOKMKBArticle a.five:link { padding: 15px 45px 15px 45px; margin-top: 20px; color: #283d40; text-align: center; background-color: #ffffff; border: 2px solid; border-color: #64ddac; } .SOKMKBArticle a.five:visited { padding: 15px 45px 15px 45px; margin-top: 20px; color: #283d40; text-align: center; background-color: #ffffff; border: 2px solid; border-color: #64ddac; } .SOKMKBArticle a.five:hover { color: #283d40; background-color: #28b980; border: 2px solid; border-color: #28b980; } .SOKMKBArticle a.six:link { padding: 15px 45px 15px 45px; margin-top: 20px; color: #283d40; text-align: center; background-color: #64ddac; border: 2px solid; border-color: #64ddac; } .SOKMKBArticle a.six:visited { padding: 15px 45px 15px 45px; margin-top: 20px; color: #283d40; text-align: center; background-color: #ffffff; border: 2px solid; border-color: #81b5a1; } .SOKMKBArticle a.six:hover { color: #283d40; background-color: #28b980; border: 2px solid; border-color: #28b980; } .SOKMKBArticle a.seven:link { padding: 15px 45px 15px 45px; margin-top: 20px; color: #283d40; text-align: center; background-color: #ffffff; border: 2px solid; border-color: #283d40; } .SOKMKBArticle a.seven:visited { padding: 15px 45px 15px 45px; margin-top: 20px; color: #283d40; text-align: center; background-color: #ffffff; border: 2px solid; border-color: #283d40; } .SOKMKBArticle a.seven:hover { color: #283d40; background-color: #c8dbdd; border: 2px solid; border-color: #283d40; } .SOKMKBArticle a.eight:link { padding: 15px 45px 15px 45px; margin-top: 20px; color: #ffffff; text-align: center; background-color: #283d40; border: 2px solid; border-color: #283d40; } .SOKMKBArticle a.eight:visited { padding: 15px 45px 15px 45px; margin-top: 20px; color: #ffffff; text-align: center; background-color: #283d40; border: 2px solid; border-color: #283d40; } .SOKMKBArticle a.eight:hover { color: #283d40; background-color: #c8dbdd; border: 2px solid; border-color: #283d40; } .SOKMKBArticle a.nine:link { padding: 15px 45px 15px 45px; margin-top: 20px; color: #283d40; text-align: center; background-color: #ffffff; border: 2px solid; border-color: #ff924e; } .SOKMKBArticle a.nine:visited { padding: 15px 45px 15px 45px; margin-top: 20px; color: #283d40; text-align: center; background-color: #ffffff; border: 2px solid; border-color: #ff924e; } .SOKMKBArticle a.nine:hover { color: #ffffff; background-color: #933700; border: 2px solid; border-color: #933700; } .SOKMKBArticle a.ten:link { padding: 15px 45px 15px 45px; margin-top: 20px; color: #283d40; text-align: center; background-color: #ff924e; border: 2px solid; border-color: #ff924e; } .SOKMKBArticle a.ten:visited { padding: 15px 45px 15px 45px; margin-top: 20px; color: #283d40; text-align: center; background-color: #ff924e; border: 2px solid; border-color: #ff924e; } .SOKMKBArticle a.ten:hover { color: #ffffff; background-color: #933700; border: 2px solid; border-color: #933700; } .SOKMKBArticle .button { padding: 15px 45px 15px 45px; margin-top: 20px; color: #ffffff; text-align: center; background-color: #1F8476; border: 1px solid; border-color: #1F8476; } .SOKMKBArticle .title { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #81b5a1; font-size: 30pt; } .SOKMKBArticle .hd1{ font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-size: 20pt; border-bottom: 1px solid; border-bottom-color: #81b5a1; text-decoration: none; } .SOKMKBArticle h1 { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-size: 20pt; font-weight: normal; border-bottom: 1px solid; border-bottom-color: #81b5a1; text-decoration: none; } .SOKMKBArticle .hd2{ font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #68a1af; font-weight:bold; font-size: 16pt; text-decoration: none; } .SOKMKBArticle h2 { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #68a1af; font-weight:bold; font-size: 16pt; font-weight: normal; text-decoration: none; } .SOKMKBArticle .hd3{ font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-weight: normal; font-size:14pt; text-decoration: none; } .SOKMKBArticle h3 { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-weight: normal; font-size:14pt; text-decoration: none; } .SOKMKBArticle .hd4{ font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-weight: normal; font-size: 12pt; text-decoration: none; } .SOKMKBArticle h4 { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-weight: normal; font-size: 12pt; text-decoration: none; } .SOKMKBArticle .SOKMKBArticle .hd5{ font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-weight: bold; font-size: 10pt; text-decoration: bold; } .SOKMKBArticle h5 { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-weight: bold; font-size: 10pt; text-decoration: bold; } .SOKMKBArticle .hd6{ font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-weight: normal; font-size: 10pt; text-decoration: underline; } .SOKMKBArticle h6 { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-weight: normal; font-size: 10pt; text-decoration: underline; } .SOKMKBArticle details { font-size: 10pt; } .SOKMKBArticle details[open] summary ~ * { animation: sweep .5s; } @keyframes sweep { 0% {opacity: 0; margin-top: -10px} 100% {opacity: 1; margin-top: 0px} } .SOKMKBArticle summary { cursor: pointer; outline: none; } .SOKMKBArticle .summary { background-color: #81b5a1; font-size: 10px; color: white; cursor: pointer; padding: 5px; width: 100%; border: none; text-align: left; outline: none; vertical-align: top; } --> ServiceNow Posture July 2023 Description ServiceNow has released upgrades and patches that address a Reflected Cross-Site scripting (XSS) vulnerability that was identified in the ServiceNow Polaris Layout. This vulnerability would enable an authenticated user to inject arbitrary scripts. Additional Details This vulnerability is present in the following supported ServiceNow releases: San Diego prior to San Diego Patch 10Tokyo prior to Tokyo Patch 4b and Patch 6Utah Patch 1 Resolution This vulnerability has been addressed in the releases and patches listed in the table below. Customers can view their patching schedules via the Maintenance Calendar. ReleaseFixed VersionSan DiegoPatch 10TokyoPatch 4b and Patch 6UtahPatch 2, Patch 1 Hotfix 1a* and Utah Patch 1 Hotfix 1b *Utah Patch 1 Hotfix 1a has been retired and replaced with Utah Patch 1 Hotfix 1b. For customers with instances still using a version of ServiceNow in which the vulnerability is present, ServiceNow recommends applying the appropriate upgrade or patch to those instances as soon as possible. Customers can adjust their patch schedules by selecting the Reschedule Action dropdown. For customers who require technical assistance with this issue, please contact ServiceNow Technical Support. Additional Resources https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1298 Change Log VersionPublishedSummary of Changes1.0July 06, 2023Initial publication