Function of com.glide.csp.self_script_src_svg

VibhaSastry · ‎10-11-2024

What is the function of the com.glide.csp.self_script_src_svg property, and how can we accurately verify whether the property is working fine?

Additionally, what are the implications of enabling/disabling this property

sergiu_panaite · ‎10-11-2024

When I said loading I was referring to external SVG images that you load into the instance, not the OOB ones. The vulnerability that was fixed was part of loading an external SVG image.

VibhaSastry · ‎10-13-2024

I have tried loading an external svg image into the images table as well in both cases when the property was true and false, in both cases I am able to load the images into servicenow instance. Please let me know how can I accurately validate this property as this method is not working in my PDI

sergiu_panaite · ‎10-14-2024

Hi @VibhaSastry

The vulnerability referred to a way of crafting Javascript inside the SVG image which would be executed when image is rendered in ServiceNow, therefore loading a normal SVG image would work irrespective of the property value. I cannot disclose the full vulnerability.

VibhaSastry · ‎10-14-2024

If I enable the property, how can I unit test?

sergiu_panaite · ‎10-17-2024

I cannot tell you how to unit test since I cannot disclose the full vulnerability as I mentioned before.