SB2025050538 - Multiple vulnerabilities in ServiceNow Washington DC
Published: May 5, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 68 secuirty vulnerabilities.
1) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Patient Support Services component. A remote user can bypass implemented security restrictions.
2) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Request Management component. A remote user can bypass implemented security restrictions.
3) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Reporting component. A remote user can bypass implemented security restrictions.
4) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the REST API Framework component. A remote user can bypass implemented security restrictions.
5) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Performance Analytics Breakdowns component. A remote user can bypass implemented security restrictions.
6) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Performance Analytics component. A remote user can bypass implemented security restrictions.
7) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Performance Analytics component. A remote user can bypass implemented security restrictions.
8) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Password Reset component. A remote user can bypass implemented security restrictions.
9) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Script Actions component. A remote user can bypass implemented security restrictions.
10) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Mobile Platform component. A remote user can bypass implemented security restrictions.
11) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Mobile Classic app (End of Life) component. A remote user can bypass implemented security restrictions.
12) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the MID Server File Downloader component. A remote user can bypass implemented security restrictions.
13) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the MID Server component. A remote user can bypass implemented security restrictions.
14) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the List Administration component. A remote user can bypass implemented security restrictions.
15) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Legacy Workflow component. A remote user can bypass implemented security restrictions.
16) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the SOAP Web Service component. A remote user can bypass implemented security restrictions.
17) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Server-side scripts component. A remote user can bypass implemented security restrictions.
18) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Interactive Analysis component. A remote user can bypass implemented security restrictions.
19) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the UI Field Administration component. A remote user can bypass implemented security restrictions.
20) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Work Order Management component. A remote user can bypass implemented security restrictions.
21) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Upgrade Center component. A remote user can bypass implemented security restrictions.
22) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the UX Framework component. A remote user can bypass implemented security restrictions.
23) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the UI Macros component. A remote user can bypass implemented security restrictions.
24) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Survey Management component. A remote user can bypass implemented security restrictions.
25) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Service Catalog Portal Widgets component. A remote user can bypass implemented security restrictions.
26) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Software Asset Reclamation component. A remote user can bypass implemented security restrictions.
27) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Session Management component. A remote user can bypass implemented security restrictions.
28) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Service Portal component. A remote user can bypass implemented security restrictions.
29) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Service Operations Workspace for Change Management component. A remote user can bypass implemented security restrictions.
30) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Service Mapping component. A remote user can bypass implemented security restrictions.
31) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Service Mapping component. A remote user can bypass implemented security restrictions.
32) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Knowledge Management component. A remote user can bypass implemented security restrictions.
33) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Integration Hub component. A remote user can bypass implemented security restrictions.
34) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to multiple issues related to improper access restrictions. A remote user can bypass implemented security restrictions and gain unauthorized access to the application.
35) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Case Management component. A remote user can bypass implemented security restrictions.
36) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Consumer Service Portal component. A remote user can bypass implemented security restrictions.
37) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Connect component. A remote user can bypass implemented security restrictions.
38) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Configuration Management Database (CMDB) component. A remote user can bypass implemented security restrictions.
39) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Communities component. A remote user can bypass implemented security restrictions.
40) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Cloud Provisioning and Governance component. A remote user can bypass implemented security restrictions.
41) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Case and Knowledge Management for HR Service Delivery component. A remote user can bypass implemented security restrictions.
42) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the CMDB API component. A remote user can bypass implemented security restrictions.
43) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Discovery component. A remote user can bypass implemented security restrictions.
44) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Audit Management component. A remote user can bypass implemented security restrictions.
45) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Attachments to Records component. A remote user can bypass implemented security restrictions.
46) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Asset Management component. A remote user can bypass implemented security restrictions.
47) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Application Install Engine component. A remote user can bypass implemented security restrictions.
48) Protection Mechanism Failure (CVE-ID: N/A)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an unspecified vulnerability in the Antivirus Scanning feature. A remote attacker can bypass implemented security restrictions.
49) Input validation error (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to an unspecified vulnerability in Advanced Work Assignment. A remote user can bypass implemented security restrictions.
50) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Customer Operations for Customer Service Management component. A remote user can bypass implemented security restrictions.
51) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Document Management component. A remote user can bypass implemented security restrictions.
52) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Instance Scan component. A remote user can bypass implemented security restrictions.
53) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the GraphQL API component. A remote user can bypass implemented security restrictions.
54) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Innovation Management component. A remote user can bypass implemented security restrictions.
55) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Identity component. A remote user can bypass implemented security restrictions.
56) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Horizon Component Library component. A remote user can bypass implemented security restrictions.
57) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Healthcare and Life Sciences Service Management Core component. A remote user can bypass implemented security restrictions.
58) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Health Log Analytics (Family) component. A remote user can bypass implemented security restrictions.
59) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the HTML Field Type Editor component. A remote user can bypass implemented security restrictions.
60) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the GlideRecord component. A remote user can bypass implemented security restrictions.
61) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Dynamic Scheduling component. A remote user can bypass implemented security restrictions.
62) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the GRC Platform Plugins component. A remote user can bypass implemented security restrictions.
63) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Form Designer component. A remote user can bypass implemented security restrictions.
64) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Form Controller component. A remote user can bypass implemented security restrictions.
65) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Form Builder component. A remote user can bypass implemented security restrictions.
66) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Flows (Family Channel) component. A remote user can bypass implemented security restrictions.
67) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Financial Management component. A remote user can bypass implemented security restrictions.
68) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to bypass implemented secuirity restrictions.
The vulnerability exists due to an unspecified issue within the Email Notifications component. A remote user can bypass implemented security restrictions.
Remediation
Install update from vendor's website.
References
- https://servicenow-be-prod.servicenow.com/bundle/washingtondc-prbrn/page/release-notes/dfrn2-washingtondc-onebundle/PRBs-W10.00-W10.04.html
- https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1807174
- https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2046774
- https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1807174
- https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2046774