漏洞平台

POC详情： e349e3274451dc87947f5df6495167189d1a2669

来源

https://github.com/DanielMadsenDK/ServiceNow-CVE-2025-11449-CVE-2025-11450-Mitigation-Script

关联漏洞

标题： ServiceNow AI Platform 安全漏洞 (CVE-2025-11449)
描述：ServiceNow AI Platform是美国ServiceNow公司的一款AI智能平台。 ServiceNow AI Platform存在安全漏洞，该漏洞源于反射型跨站脚本漏洞，可能导致用户点击特制链接时在浏览器中执行任意代码。

描述

This script automatically detects and remediates **CVE-2025-11449** and **CVE-2025-11450** security vulnerabilities in ServiceNow UI Macros. These critical vulnerabilities could allow arbitrary code execution in users' browsers through specially crafted links if user-controlled `sysparm_` parameters are not properly sanitized.

介绍

# ServiceNow CVE-2025-11449 & CVE-2025-11450 Mitigation Script

## Overview

This script automatically detects and remediates **CVE-2025-11449** and **CVE-2025-11450** security vulnerabilities in ServiceNow UI Macros. These vulnerabilities could allow arbitrary code execution in users' browsers through specially crafted links if user-controlled `sysparm_` parameters are not properly sanitized.

## Affected UI Macros

- `$pwd_verify_email`
- `$pwd_verify_personal_data_ui`

## What This Script Does

The script performs two key security fixes:

### 1. **Outside `<g:evaluate>` Blocks**: Adds proper encoding
Replaces vulnerable patterns with properly encoded versions:
- `${sysparm_<XYZ>}` → `${JS,HTML:sysparm_<XYZ>}`
- `${HTML:sysparm_<XYZ>}` → `${JS,HTML:sysparm_<XYZ>}`
- `${JS:sysparm_<XYZ>}` → `${JS,HTML:sysparm_<XYZ>}`

### 2. **Inside `<g:evaluate>` Blocks**: Uses Jelly variable references
Replaces string interpolation with safe Jelly object references:
- `"${sysparm_<XYZ>}"` → `jelly.sysparm_<XYZ>` (removes quotes!)
- `${HTML:sysparm_<XYZ>}` → `jelly.sysparm_<XYZ>`
- Even `${JS,HTML:sysparm_<XYZ>}` → `jelly.sysparm_<XYZ>` (still unsafe inside `<g:evaluate>`)

## Usage

### Prerequisites
- ServiceNow instance with admin access
- Access to Scripts - Background module

### Instructions

1. **Backup First!** 
   ```javascript
   // Export your current UI Macros before running this script
   // Navigate to: System UI > UI Macros
   // Export: $pwd_verify_email and $pwd_verify_personal_data_ui
   ```

2. **Run the Detection Script**
   - Navigate to **System Definition > Scripts - Background**
   - Copy and paste the script from `CVE_2025_11449_fix.js`
   - Click **Run script**

3. **Review the Output**
   - The script will log all vulnerabilities found
   - Review the "Suggested Cured XML" output
   - Verify the changes are appropriate for your environment

4. **Apply the Fix**
   - **Manual Application (Recommended)**: Copy the cured XML and manually update the UI Macro

5. **Test Thoroughly**
   - Test password reset flows
   - Verify email verification processes
   - Ensure no functionality is broken

## Example Output

```
AFFECTED Macro: $pwd_verify_personal_data_ui (sys_id: abc123...) [ACTIVE - HIGH PRIORITY]
Found 8 vulnerable sysparm_ pattern(s) outside <g:evaluate>:
  - ${HTML:sysparm_verification_id}
  - ${HTML:sysparm_verification_id}
  - ${HTML:sysparm_verification_id}
  - ${HTML:sysparm_verification_id}
  - ${HTML:sysparm_verification_id}
  ... and 3 more
Found 1 vulnerable sysparm_ pattern(s) inside <g:evaluate>:
  - "${sysparm_verification_id}"

Suggested Cured XML:
[Fixed XML output here]
---
```

### Customize for Other Macros

To check additional UI Macros, modify line 3:

```javascript
var macrosToCheck = ['$pwd_verify_email', '$pwd_verify_personal_data_ui', 'your_custom_macro'];
```

## Security Impact

**CRITICAL**: These vulnerabilities allow Cross-Site Scripting (XSS) attacks that could:
- Execute arbitrary JavaScript in user browsers
- Steal session tokens and credentials
- Perform actions on behalf of authenticated users
- Compromise password reset flows

## Contributing

Found an issue or have an improvement? Please:
1. Open an issue with details
2. Submit a pull request with test cases
3. Report false positives/negatives

## References
- [ServiceNow Security Advisory - CVE-2025-11449 and CVE-2025-11450](https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2555298)
- [Jelly escaping ServiceNow documentation](https://www.servicenow.com/docs/csh?topicname=r_JellyEscapingTypes.html))

## License

MIT License - Feel free to use, modify, and distribute.

## Disclaimer

**Use at your own risk!** Always:
- Test in a sub-production environment first
- Back up your UI Macros before applying changes
- Review the generated XML manually
- Understand the security implications

This script is provided as-is without warranty. The author is not responsible for any damage or issues caused by its use.

## Author

The script was generated by [ServiceNow Helper](https://github.com/DanielMadsenDK/servicenow-helper) by Daniel Aagren Seehartrai Madsen 

Created to help the ServiceNow community address critical security vulnerabilities quickly and safely.

## Changelog

### v1.0.0 (2025-10-10)
- Initial release

---

文件快照


 [4.0K]  /data/pocs/e349e3274451dc87947f5df6495167189d1a2669
├── [7.0K]  CVE_2025_11449_fix.js
├── [1.1K]  LICENSE
└── [4.2K]  README.md

0 directories, 3 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。