CVE-2022-46389 MEDIUM

CVE-2022-46389: Cross-Site Scripting (XSS) vulnerability found on logout functionality

Vendor Servicenow

Product Now Platform

Weakness CWE-79 · XSS

Published April 17, 2023

Last update February 6, 2025

View on NVD All CVEs

CVSS base score

6.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

There exists a reflected XSS within the logout functionality of ServiceNow versions lower than Quebec Patch 10 Hotfix 11b, Rome Patch 10 Hotfix 3b, San Diego Patch 9, Tokyo Patch 4, and Utah GA. This enables an unauthenticated remote attacker to execute arbitrary JavaScript code in the browser-based web console.

Key dates

02Disclosure timeline

April 17, 2023 CVE published

February 6, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-46389

Related vulnerabilities

Identifiers

CVE CVE-2022-46389

CWE CWE-79

CVSS 6.1 / MEDIUM

Affected versions

Vendor Servicenow

Product Now Platform

Affected ≥ Quebec and < Patch 10 Hotfix 11b

Vendor Servicenow

Product Now Platform

Affected ≥ Rome and < Patch 10 Hotfix 3b

Vendor Servicenow

Product Now Platform

Affected ≥ San Diego and < Patch 9

Vendor Servicenow

Product Now Platform

Affected ≥ Tokyo and < Patch 4

Vendor Servicenow

Product Now Platform

Affected ≥ Utah and < GA

CVE-2022-46389: Cross-Site Scripting (XSS) vulnerability found on logout functionality

01Description

02Disclosure timeline

03References

04Related CVE