CVE-2019-20768 in IT Service Management Kingston
Summary
by MITRE
ServiceNow IT Service Management Kingston through Patch 14-1, London through Patch 7, and Madrid before patch 4 allow stored XSS via crafted sysparm_item_guid and sys_id parameters in an Incident Request to service_catalog.do.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/06/2020
This vulnerability exists in ServiceNow's IT Service Management suite across multiple versions including Kingston through Patch 14-1, London through Patch 7, and Madrid before Patch 4. The flaw manifests as a stored cross-site scripting vulnerability that can be exploited through manipulation of specific parameters within the service_catalog.do endpoint. The attack vector involves crafting malicious sysparm_item_guid and sys_id parameters that are then stored in the application's database and subsequently executed when other users view the affected incident requests. This represents a critical security weakness that allows attackers to inject malicious scripts into the application's data storage layer, making it particularly dangerous as the malicious code persists and executes automatically when legitimate users access the affected pages.
The technical implementation of this vulnerability stems from insufficient input validation and output sanitization within ServiceNow's service catalog processing logic. When users submit incident requests through the service_catalog.do endpoint, the application fails to properly sanitize the sysparm_item_guid and sys_id parameters before storing them in the database. This allows attackers to embed malicious JavaScript code within these parameters, which then gets stored alongside legitimate data. The vulnerability is classified under CWE-79 as a Cross-Site Scripting flaw, specifically a stored XSS variant where the malicious payload is permanently stored on the server rather than being reflected in a single request. This persistent nature makes the vulnerability particularly dangerous as it can affect multiple users over extended periods without requiring repeated exploitation attempts.
The operational impact of this vulnerability is significant for organizations relying on ServiceNow's ITSM platform, as it provides attackers with a means to execute arbitrary code within the context of authenticated user sessions. Successful exploitation could enable attackers to steal session cookies, access sensitive data, modify service catalog items, or even escalate privileges within the ServiceNow environment. The vulnerability affects the core service catalog functionality and can compromise the integrity of incident management workflows, potentially leading to unauthorized service requests, data exfiltration, or disruption of business operations. Attackers could leverage this vulnerability to target privileged users such as system administrators or service catalog managers, amplifying the potential damage. The stored nature of the vulnerability means that once exploited, the malicious code continues to execute for all users who interact with the affected incident records, creating a persistent threat vector.
Organizations should immediately apply the relevant patches provided by ServiceNow to address this vulnerability, as no reliable workarounds exist that would fully mitigate the risk without compromising system functionality. The recommended mitigation strategy involves implementing proper input validation and output encoding mechanisms within the service_catalog.do endpoint to sanitize all user-supplied parameters before storage. Additionally, organizations should conduct comprehensive security reviews of their ServiceNow configurations, particularly focusing on service catalog item permissions and user access controls. Network segmentation and monitoring solutions should be deployed to detect unusual patterns in service catalog requests that might indicate exploitation attempts. Security teams should also implement regular vulnerability scanning and penetration testing of their ServiceNow environments to identify similar weaknesses. This vulnerability aligns with ATT&CK technique T1531 which covers 'Modify Existing Service' and T1059.007 which covers 'Command and Scripting Interpreter: JavaScript', demonstrating how attackers can leverage stored XSS to establish persistent access and execute malicious scripts within the target environment.