CVE-2024-8924

HIGH

ServiceNow - Unauthenticated Blind SQL Injection

Title source: llm
STIX 2.1

Description

ServiceNow has addressed a blind SQL injection vulnerability that was identified in the Now Platform. This vulnerability could enable an unauthenticated user to extract unauthorized information. ServiceNow deployed an update to hosted instances, and ServiceNow provided the update to our partners and self-hosted customers. Further, the vulnerability is addressed in the listed patches and hot fixes.

References (1)

Core 1

Scores

CVSS v3 7.5
EPSS 0.0051
EPSS Percentile 39.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (2)
servicenow/servicenow xanadu (3 CPE variants)
servicenow/servicenow vancouver (47 CPE variants)
Published Oct 29, 2024
Tracked Since Feb 18, 2026