ServiceNow has addressed two significant vulnerabilities, CVE-2024-8923 and CVE-2024-8924, which could enable unauthorized remote access, potentially exposing sensitive data, and compromising platform integrity.
The first vulnerability tracked as CVE-2024-8923, with a CVSS score of 9.8, an input validation flaw that could allow unauthenticated users to execute arbitrary code remotely within the context of the Now Platform.
The second vulnerability tracked as CVE-2024-8924 with a CVSS score of 7.5 involves a blind SQL injection flaw. This vulnerability could enable an attacker to access unauthorized data within the Now Platform. By exploiting the blind SQL injection, an unauthenticated user could potentially retrieve sensitive information, risking exposure to confidential organizational data
ServiceNow has released patches to address these vulnerabilities during its August and October 2024 Patching Programs. Organizations are strongly urged to apply the relevant security patches to their instances as soon as possible.
