Potential Data Leak Risk in Employee Relations Plugin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2024 07:56 PM
Attention all ServiceNow users leveraging the Employee Relations plugin!
We've identified a potential data leak risk that could compromise sensitive information. While the Employee Relations plugin restricts access to Evidence records based on the associated ER case permissions, a critical vulnerability exists.
Here's the issue:
- When you attach files to Evidence records, these files are accessible to Admin users who may not have access to the corresponding ER case.
- This means that sensitive information related to confidential cases could potentially be exposed to unauthorized personnel.
We will report this issue to Now Support and encourage you to share this information with your colleagues and work together to ensure the security of your ServiceNow instance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2024 08:42 PM
Hi @Kohei Tominaga1 ,
Thanks for sharing!!
quick question, when you say Admin users, you are referring to HR admin or System Admin?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2024 09:02 PM
Hi, that is System Admin without HR Admin role!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2024 10:01 PM
ok
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-27-2025 10:19 PM
Hi Kohei, Thanks for sharing, was this issue fixed, could you give any reference links for more information on this security issue
