Strix
26.1K

CVE-2019-20768

MEDIUMCVSS 5.4/10EPSS 0.72%

Last modified

CVE-2019-20768 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. ServiceNow IT Service Management Kingston through Patch 14-1, London through Patch 7, and Madrid before patch 4 allow stored XSS via crafted sysparm_item_guid and sys_id parameters in an Incident Request to service_catalog.do.. EPSS estimates a 0.72% chance of exploitation in the next 30 days.

Description

ServiceNow IT Service Management Kingston through Patch 14-1, London through Patch 7, and Madrid before patch 4 allow stored XSS via crafted sysparm_item_guid and sys_id parameters in an Incident Request to service_catalog.do.

Metrics

CVSS 3.1
5.4/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS Probability
0.72%

49.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
ServicenowIt Service Managementkingston
ServicenowIt Service Managementlondon
ServicenowIt Service Managementmadrid

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2019-20768?
ServiceNow IT Service Management Kingston through Patch 14-1, London through Patch 7, and Madrid before patch 4 allow stored XSS via crafted sysparm_item_guid and sys_id parameters in an Incident Request to service_catalog.do.
How severe is CVE-2019-20768?
CVE-2019-20768 has a CVSS score of 5.4/10 (MEDIUM severity). The EPSS model estimates a 0.72% probability of exploitation in the next 30 days.
How do I fix CVE-2019-20768?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-20768?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST