Technical Severity
CRITICAL
CVSS v3.1 Metrics
9.8
/ 10
Minimal Risk
Critical
Vector Specification
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation Likelihood
EPSS Prediction
94.11
%
Predictive Probability
Percentile Rank
99.9
th
Documented as more likely to be exploited than 99.9% of known CVEs.
Detection Date
Jul 29, 2024
Remediation Due
Aug 19, 2024
CISA Catalog Active
Threat Analysis
ServiceNow Washington DC, Vancouver, and earlier Now Platform releases contain an incomplete list of disallowed inputs vulnerability in the GlideExpression script. An unauthenticated user could exploit this vulnerability to execute code remotely.
Remediation Directive
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.