CVE-2018-7748

NONE EPSS 83.3%
Published Aug 3, 20187y ago · Modified Jun 17, 20262w ago
Find Similar
Published Aug 3, 2018 7y ago
Last Modified Jun 17, 2026 2w ago

Description

report_viewer.do in ServiceNow Release Jakarta Patch 8 and earlier allows remote attackers to execute arbitrary code via '${xyz}' Glide Scripting Injection in the sysparm_media parameter.

Threat Intelligence

EPSS Exploit Probability
83.3% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-94 Improper Control of Generation of Code (Code Injection) Injection

Affected Products 12

VendorProductVersionRange
servicenowservicenowjakartaany
servicenowservicenowjakartaany
servicenowservicenowjakartaany
servicenowservicenowjakartaany
servicenowservicenowjakartaany
servicenowservicenowjakartaany
servicenowservicenowjakartaany
servicenowservicenowjakartaany
servicenowservicenowjakartaany
servicenowservicenowjakartaany
servicenowservicenowjakartaany
servicenowservicenowjakartaany

References 2

  • telekomsecurity.github.io https://telekomsecurity.github.io/2018/07/servicenow-privilege-escalation.html
    ExploitThird Party Advisory
  • telekomsecurity.github.io https://telekomsecurity.github.io/assets/advisories/20180104_ServiceNow_GlideInjection.txt
    ExploitThird Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.