CVE-2018-7748
NONE EPSS 83.3%
Published Aug 3, 20187y ago · Modified Jun 17, 20262w ago
Published Aug 3, 2018 7y ago
Last Modified Jun 17, 2026 2w ago
Description
report_viewer.do in ServiceNow Release Jakarta Patch 8 and earlier allows remote attackers to execute arbitrary code via '${xyz}' Glide Scripting Injection in the sysparm_media parameter.
Threat Intelligence
EPSS Exploit Probability
83.3% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available
Weaknesses 1
CWE-94 Improper Control of Generation of Code (Code Injection) Injection
Affected Products 12
| Vendor | Product | Version | Range |
|---|---|---|---|
| servicenow | servicenow | jakarta | any |
| servicenow | servicenow | jakarta | any |
| servicenow | servicenow | jakarta | any |
| servicenow | servicenow | jakarta | any |
| servicenow | servicenow | jakarta | any |
| servicenow | servicenow | jakarta | any |
| servicenow | servicenow | jakarta | any |
| servicenow | servicenow | jakarta | any |
| servicenow | servicenow | jakarta | any |
| servicenow | servicenow | jakarta | any |
| servicenow | servicenow | jakarta | any |
| servicenow | servicenow | jakarta | any |
References 2
- telekomsecurity.github.io https://telekomsecurity.github.io/2018/07/servicenow-privilege-escalation.html
- telekomsecurity.github.io https://telekomsecurity.github.io/assets/advisories/20180104_ServiceNow_GlideInjection.txt
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.