Potential Data Leak Risk in Employee Relations Plugin

Kohei Tominaga1
Tera Expert

Attention all ServiceNow users leveraging the Employee Relations plugin!

 

We've identified a potential data leak risk that could compromise sensitive information. While the Employee Relations plugin restricts access to Evidence records based on the associated ER case permissions, a critical vulnerability exists.

 

Here's the issue:

  • When you attach files to Evidence records, these files are accessible to Admin users who may not have access to the corresponding ER case.
  • This means that sensitive information related to confidential cases could potentially be exposed to unauthorized personnel.

We will report this issue to Now Support and encourage you to share this information with your colleagues and work together to ensure the security of your ServiceNow instance.

5 REPLIES 5

Community Alums
Not applicable

Hi @Kohei Tominaga1 ,

Thanks for sharing!!

quick question, when you say Admin users, you are referring to HR admin or System Admin?

 

Hi, that is System Admin without HR Admin role!

Community Alums
Not applicable

ok

ChitraN
Tera Contributor

Hi Kohei, Thanks for sharing, was this issue fixed, could you give any reference links for more information on this security issue