CVE-2019-20768

Name of the Vulnerable Software and Affected Versions ServiceNow IT Service Management versions Kingston through Patch 14-1 ServiceNow IT Service Management versions London through Patch 7 ServiceNow IT Service Management versions Madrid before patch 4

Description The issue allows stored XSS via crafted sysparm item guid and sys id parameters in an Incident Request to "service catalog.do".

Recommendations For ServiceNow IT Service Management versions Kingston through Patch 14-1, apply patch 14-1 or later to resolve the issue. For ServiceNow IT Service Management versions London through Patch 7, apply patch 7 or later to resolve the issue. For ServiceNow IT Service Management versions Madrid before patch 4, apply patch 4 or later to resolve the issue. As a temporary workaround, consider restricting access to the "service catalog.do" endpoint until a patch is available. Avoid using the sysparm item guid and sys id parameters in the affected endpoint until the issue is resolved.