Potential Data Leak Risk in Employee Relations Plugin

Kohei Tominaga1
Tera Expert

Attention all ServiceNow users leveraging the Employee Relations plugin!

 

We've identified a potential data leak risk that could compromise sensitive information. While the Employee Relations plugin restricts access to Evidence records based on the associated ER case permissions, a critical vulnerability exists.

 

Here's the issue:

  • When you attach files to Evidence records, these files are accessible to Admin users who may not have access to the corresponding ER case.
  • This means that sensitive information related to confidential cases could potentially be exposed to unauthorized personnel.

We will report this issue to Now Support and encourage you to share this information with your colleagues and work together to ensure the security of your ServiceNow instance.

5 REPLIES 5

Hi, This is fixed on Yokohama instance

Here is KB link and PRB1779170 is the issue
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1710869