Potential Data Leak Risk in Employee Relations Plugin

Kohei Tominaga1
Tera Expert

‎06-19-2024 07:56 PM

Attention all ServiceNow users leveraging the Employee Relations plugin!

 

We've identified a potential data leak risk that could compromise sensitive information. While the Employee Relations plugin restricts access to Evidence records based on the associated ER case permissions, a critical vulnerability exists.

 

Here's the issue:

  • When you attach files to Evidence records, these files are accessible to Admin users who may not have access to the corresponding ER case.
  • This means that sensitive information related to confidential cases could potentially be exposed to unauthorized personnel.

We will report this issue to Now Support and encourage you to share this information with your colleagues and work together to ensure the security of your ServiceNow instance.

  • 906 Views
5 REPLIES 5

Kohei Tominaga1
Tera Expert
In response to ChitraN

‎05-06-2025 06:52 PM

Hi, This is fixed on Yokohama instance

Here is KB link and PRB1779170 is the issue
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1710869

0 Helpfuls