CVE-2024-8923 CRITICAL

CVE-2024-8923: Sandbox Escape in Now Platform

Vendor Servicenow
Product Now Platform
Weakness CWE-94 · Code injection
Published October 29, 2024
Last update October 31, 2024

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

ServiceNow has addressed an input validation vulnerability that was identified in the Now Platform. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow deployed an update to hosted instances and ServiceNow provided the update to our partners and self-hosted customers. Further, the vulnerability is addressed in the listed patches and hot fixes.

Key dates

02Disclosure timeline

October 29, 2024 CVE published
October 31, 2024 Record updated

Related vulnerabilities

04Related CVE