Home

Description

ServiceNow has addressed a reflected cross-site scripting vulnerability that was identified in the ServiceNow AI Platform. This vulnerability could result in arbitrary code being executed within the browsers of ServiceNow users who click on a specially crafted link.    ServiceNow has addressed this vulnerability by deploying a relevant security update to the majority of hosted instances. Relevant security updates also have been provided to ServiceNow self-hosted customers, partners, and hosted customers with unique configuration. Further, the vulnerability is addressed in the listed patches and hot fixes. We recommend customers promptly apply appropriate updates or upgrade if they have not already done so.

PUBLISHED Reserved 2025-10-07 | Published 2025-10-10 | Updated 2025-10-10 | Assigner SN




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status
unaffected

Any version before Washington DC Patch 10 Hot Fix 7b
affected

Any version before Xanadu Patch 10 Hot Fix 1a
affected

Any version before Xanadu Patch 11
affected

Any version before Yokohama Patch 7 Hot Fix 2a
affected

Any version before Yokohama Patch 8
affected

Any version before Yokohama Patch 9
affected

Any version before Zurich Patch 1 Hot Fix 1a
affected

Any version before Zurich Patch 2
affected

Any version before Zurich Patch 3
affected

Any version before Australia General Availability (GA)
affected

Credits

Adam Kues - Assetnote finder

Shubham Shah - Assetnote finder

References

support.servicenow.com/...cle_view&sysparm_article=KB2552817

cve.org (CVE-2025-11449)

nvd.nist.gov (CVE-2025-11449)

Download JSON