CVE-2024-5217
unknown
KEV
CVSS v3
—
CVSS v2
—
VIR risk
1.5
Description
ServiceNow Washington DC, Vancouver, and earlier Now Platform releases contain an incomplete list of disallowed inputs vulnerability in the GlideExpression script. An unauthenticated user could exploit this vulnerability to execute code remotely.
CISA KEV
- Vendor
- ServiceNow
- Product
- Utah, Vancouver, and Washington DC Now Platform
- Due date
- 2024-08-19
Predictions
Exploit likelihood
99%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cisa-kev — https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1648313; https://nvd.nist.gov/vuln/detail/CVE-2024-5217
Exploits
References
Verify integrity in audit chain (admin only). AS-IS.