Scan Engine definitions: Security
Scan Engine security definitions measure implementation of protocols across a ServiceNow instance to prevent unauthorized access, data breaches, cyber attacks, and potential vulnerabilities.
Australia definitions
The following security definitions have been added for the Australia 2026 release:
| Number | Active | Level of Finding | Unique ServiceNow Product | Short Description | Business Impact | Steps to Resolve | Supporting Documentation |
|---|---|---|---|---|---|---|---|
| sn_SE10023 | 1 | Act | Scripts should not use the eval() function | Security breach. | Remove the eval function from the script. | Documentation | |
| sn_SE10024 | 1 | Act | Scripts should not use the eval() function | Security breach. | Remove the eval function from the script. | Documentation | |
| sn_SE10045 | 1 | Act | High Security Plugin should be enabled | Many security configurations will be unintentionally left open which in turn may open door for some of the critical vulnerabilities. | Activate the High Security plugin. | Documentation | |
| sn_SE10046 | 1 | Act | Contextual Security: Role Management V2 should be enabled | Removes duplicate records and helps visualize role inheritance. | Activate the Contextual Security: Role Management V2 plugin. | Documentation | |
| sn_SE10074 | 1 | Act | Scan Engine doesn't have access to read data from Applies To table | SE cannot identify any possible findings on these tables without read access. | Remove the Applies To Table record, grant read access on the table to the Scan Engine application, or modify the Table Applies To Table record by selecting Restricted Caller Access. | ||
| sn_SE10083 | 1 | Suggest | Scoped Certification: ACL required on client callable script includes | Users may gain access to data which they are not authorized to. Data inaccuracies could arise. | Create a new ACL with a type of Client Callable Script Include and set the name field to the Script Include name. Associate the appropriate roles to the ACL. | Documentation | |
| sn_SE10085 | 1 | Act | The security manager default mode should be set to "deny". | Prevents users from unintentionally gaining access to data. | Set the value to "Deny". | Documentation | |
| sn_SE10089 | 1 | Suggest | Field set to Read Only through UI Policy without conditions | Unintended updates to the field could happen through list editing. | Check the read only flag on the field___UICTRL_0___table_name.field_name___UICTRL_1___t meet the criteria to edit the field. | Documentation | |
| sn_SE10090 | 1 | Suggest | Field set to Mandatory through UI Policy without conditions | Required data could be empty that prevents the business process from continuing. | Check the mandatory flag on the field's dictionary record to make the field mandatory at all times. | Documentation | |
| sn_SE10100 | 1 | Recommend | UI Pages should have an associated read ACL | Unauthorized users may have access to see data they wouldn't have access to through the backend. | Create a read ACL with an operation of read where the name of the ACL matches the name of the UI Page. Associate the appropriate roles to the read ACL of whom should have read access to the UI page. | Documentation | |
| sn_SE10101 | 1 | Act | Default admin account should be disabled | Unauthorized users may still gain access to the system, potentially leading to breaches of confidential data and data integrity issues. The resulting business impact could be significant and unrestricted. | Deactivate the admin account and remove any group and role association from the admin profile. | Documentation | |
| sn_SE10146 | 1 | Act | HTML data input should be validated through the use of escaping | Injection attacks can occur causing security risks. | Either update the value of the glide.ui.escape_html_list_field system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10147 | 1 | Act | Jelly data input should be validated through the use of escaping | Injection attacks can occur causing security risks. | Either update the value of the glide.ui.escape_all_script system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10148 | 1 | Act | JavaScript data input should be validated through the use of escaping | Injection attacks can occur causing security risks. | Either update the value of the glide.html.escape_script system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10150 | 1 | Act | Client-script queries should be validated | There is a potential for an attacker to perform unauthorized operations against the platform. | Either update the value of the glide.script.use.sandbox system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10151 | 1 | Act | Embedded HTML code should be disabled | Leveraged by attackers to steal session information and sensitive data. | Either update the value of the glide.ui.security.allow_codetag system property to false OR insert this system property with a value of false. | Documentation | |
| sn_SE10152 | 1 | Act | JavaScript tags in Embedded HTML should be disabled | Leveraged by attackers to steal session information and sensitive data. | Either update the value of the glide.ui.security.codetag.allow_script system property to false OR insert this system property with a value of false. | Documentation | |
| sn_SE10153 | 1 | Act | AJAXEvaluate API should be disabled | AJAXEvaluate can allow arbitrary JavaScript to execute on the client browser by leveraging the server side objects | Either update the value of the glide.script.allow.ajaxevaluate system property to false OR insert this system property with a value of false. | Documentation | |
| sn_SE10154 | 1 | Act | HTMLSanitizer validation should be enabled | Client-side cross-site scripting attacks. | Either update the value of the glide.html.sanitize_all_fields system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10155 | 1 | Act | Strict security should be enabled for SOAP requests | Unauthorized user can get access to sensitive content/data on the target instance. | Either update the value of the glide.soap.strict_security system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10156 | 1 | Act | Jelly interpolation should be enabled | JEXL injection can lead to both Cross Site Request Forgery and Code Execution | Either update the value of the glide.ui.jelly.js_interpolation.protect system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10157 | 1 | Act | Escaping Excel formulas should be enabled | Malicious formulae pose a risk even when the embedding spreadsheet doesn't contain any sensitive information, as they can be used to compromise the viewer's computer. | Either update the value of the glide.export.escape_formulas system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10159 | 1 | Suggest | Optional: Restrict Access to Specific IP Ranges | Unnecessary risk of exposure to the target instance on the internet | Activate the IP Range Based Authentication plugin if only certain IP addresses should have access to your instance. | Documentation | |
| sn_SE10160 | 1 | Act | Security Jump Start (ACL rules) plugin should be enabled | Access control should be enforced to lock down the unintended access to the instance. ACL jumpstart rules were written to provide a starting point on securing many system tables to make it easier for an organization to quickly get into production. | Activate the Security Jump Start (ACL Rules) plugin. | Documentation | |
| sn_SE10161 | 1 | Act | Inbound transactions should be validated twice | Access request should always be checked when transactions happen between two zones. | Either update the value of the glide.security.strict.updates system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10162 | 1 | Act | UI Action conditions should be validated before execution | Access request should always be checked when transactions happen between two zones. | Either update the value of the glide.security.strict.actions system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10163 | 1 | Act | Performance Monitoring ACL should be enabled | Sensitive data such as server details, threads and process that are being executed on the server should never be visible or accessible to the end user without appropriate privileges. | Either update the value of the glide.security.diag_txns_acl system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10165 | 1 | Act | AJAXGlideRecord ACL Checking should be enabled | Through client scripts, it is possible to query arbitrary data from the server through the GlideAjax API. Server-side resources can be accessed without proper authorization so validating the ACL helps the application validate the request based on the authorization configured. | Either update the value of the glide.script.secure.ajaxgliderecord system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10166 | 1 | Act | SOAP Content Type Checking should be enabled | When accepting inbound SOAP requests, the appropriate validation has to be performed to ensure the relevant content type is being defined as a part of the request and thus restricting the invalid SOAP responses that can be viewed as a security risk. | Either update the value of the glide.soap.require_content_type_xml system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10167 | 1 | Act | SNC Access Control Plugin should be enabled | Unnecessary exposure of instance access to wider group of people. | Activate the SNC Access Control plugin by contacting <ph keyref="var.company-no-reg-tm"/> Customer Support. | Documentation | |
| sn_SE10168 | 1 | Suggest | Optional: Strict IP restriction should be enabled. | Unnecessary exposure of instance access to wider group of people. | Either update the value of the glide.ip.authenticate.strict system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10169 | 1 | Act | Optional: Explicit Role Plugin should be enabled | External Users (Non-employees) will have access to many sensitive tables within ServiceNow which does not have any roles assigned to it and which are meant or designed to be accessible by internal users (Employees) only. | Activate the Explicit Role plugin by contacting <ph keyref="var.company-no-reg-tm"/> Customer Support. | Documentation | |
| sn_SE10172 | 1 | Act | ACLs should be enabled for Live Profile Details | API requests should always honor table ACLs. Restriction needs to be applied to prevent unauthorized users accessing details of a Live Profile. | Either update the value of the glide.live_profile.details system property to ACL OR insert this system property with a value of ACL. | Documentation | |
| sn_SE10173 | 1 | Act | Client-Callable Script Includes should be private | Setting this property to "true" circumvents ACLs for client-side script includes and may result in unintended public functionality. This could have a potential security risk if the client script provides confidential information. | Either update the value of the glide.script.ccsi.ispublic system property to false OR insert this system property with a value of false. | Documentation | |
| sn_SE10174 | 1 | Act | SMTP Authentication should be enabled | Authentication should always be performed before the transactions happen to/from to ServiceNow instance. SMTP authentication enables this requirement before sending the content to the external Mail server by authenticating to the target SMTP server. | Either update the value of the glide.smtp.auth system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10175 | 1 | Act | WSDL Request Authorization should be enabled | Without appropriate authorization configured on the WSDL web services, an unauthorized user can get access to sensitive WSDL content/data on the target instance. | Either update the value of the glide.basicauth.required.wsdl system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10176 | 1 | Act | CSV Request Authorization should be enabled | Without appropriate authorization configured on the incoming CSV requests, an unauthorized user can get access to sensitive content/data on the target instance. | Either update the value of the glide.basicauth.required.csv system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10177 | 1 | Act | Excel Request Authorization should be enabled | Without appropriate authorization configured on the incoming Excel requests, an unauthorized user can get access to sensitive content/data on the target instance. | Either update the value of the glide.basicauth.required.excel system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10178 | 1 | Act | Import Request Authorization should be enabled | Without appropriate authorization configured on the data source import requests, an unauthorized user can get access to sensitive content/data on the target instance. | Either update the value of the glide.basicauth.required.importprocessor system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10179 | 1 | Act | PDF Request Authorization should be enabled | Without appropriate authorization configured on the incoming PDF requests, an unauthorized user can get access to sensitive content/data on the target instance. | Either update the value of the glide.basicauth.required.pdf system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10180 | 1 | Act | RSS Request Authorization should be enabled | Without appropriate authorization configured on the incoming RSS requests, an unauthorized user can get access to sensitive content/data on the target instance. | Either update the value of the glide.basicauth.required.rss system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10181 | 1 | Act | Script Request Authorization should be enabled | High - Without appropriate authorization configured on the incoming Script requests, an unauthorized user can get access to sensitive content/data on the target instance. | Either update the value of the glide.basicauth.required.scriptedprocessor system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10182 | 1 | Act | Basic Auth: SOAP Requests should be enabled | Without appropriate authorization configured on the data source SOAP requests, an unauthorized user can get access to sensitive content/data on the target instance. | Either update the value of the glide.basicauth.required.soap system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10183 | 1 | Act | Basic Auth: JSONv2 Requests should be enabled | Without appropriate authorization configured on the data source JSON requests, an unauthorized user can get access to sensitive content/data on the target instance. | Either update the value of the glide.basicauth.required.jsonv2 system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10184 | 1 | Act | Unload Request Authorization should be enabled | Without appropriate authorization configured on the data source unload requests, an unauthorized user can get access to sensitive content/data on the target instance. | Either update the value of the glide.basicauth.required.unl system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10185 | 1 | Act | XML Request Authorization should be enabled | Without appropriate authorization configured on the incoming XML requests, an unauthorized user can get access to sensitive content/data on the target instance. | Either update the value of the glide.basicauth.required.xml system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10186 | 1 | Act | XSD Request Authorization should be enabled | Without appropriate authorization configured on the incoming XSD requests, an unauthorized user can get access to sensitive content/data on the target instance. | Either update the value of the glide.basicauth.required.xsd system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10187 | 1 | Suggest | Optional: SAML 2.0 Web Browser SSO Profile plugin should be enabled | Vulnerable to cross-site scripting attacks. | Activate the Integration - Multiple Provider Single Sign-On Installer plugin. | Documentation | |
| sn_SE10188 | 1 | Act | Remove Credentials From Welcome Page | Default credentials could be exposed. | The default content on the Welcome page should be changed to remove the default credentials. | Documentation | |
| sn_SE10189 | 1 | Act | Remember Me should be disabled | When the Remember me check box is selected at login, an additional cookie is stored on the user's computer to automatically re-establish the session for the logged-in user upon subsequent visits. This poses a security risk as it allows the user session to be active until they deliberately log out. The likelihood of an attack for such scenario would increase when end user has left the machine/browser unattended or if their browser is compromised from a different attack vector. | Either update the value of the glide.ui.forgetme system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10190 | 1 | Act | Password Field Autocomplete should be disabled | User authentication fields should be validated and should never let the client side caching to happen. | Either update the value of the glide.login.autocomplete system property to false OR insert this system property with a value of false. | Documentation | |
| sn_SE10191 | 1 | Act | ValidatePasswordStronger should be enabled | Weak password being enabled on the instance is a critical security risk due to ease of access and extremely high likelihood for an adversary to get access to the instance with the help of simple password guessing/brute-forcing techniques. | Activate the ValidatePasswordStronger installation exit. | Documentation | |
| sn_SE10192 | 1 | Act | Disable Password-Less Authentication should be disabled | An attacker will be able to login to the instance with the default usernames, or by specific individual/group (usually firstname.lastname) without any password. This is viewed as a critical security risk, as it would enable a public user to violate confidentiality and integrity of the instance data. | Either update the value of the glide.login.no_blank_password system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10193 | 1 | Suggest | Optional: Multi-Factor Authentication should be enabled | Increased risk of unauthorized access to sensitive data. | Either update the value of the glide.authenticate.multifactor system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10194 | 1 | Act | Download MIME Types should be populated | Client side scripting attack vectors come in different flavors and the attachments MIME type abuse is no exception. MIME types can be abused by attackers and render the unintended script content of the attachment on the victim's side and thus capture sensitive information. In the current context, the property should be populated with a list of comma-separated attachment mime types that should not render inline in the browser. Ex: text/html | Either update the value of the glide.ui.attachment.download_mime_types system property to trusted file types such as text/csv,text/html,image/svg,image/svg+xml,application/xml, application/xhtml+xml OR insert this system property with a value of the trusted file types. | Documentation | |
| sn_SE10195 | 1 | Act | Force Download Attachments should be enabled | To reduce the client side scripting attacks, file attachments should be force downloaded as opposed to being rendered in the browser context. | Either update the value of the glide.ui.attachment.force_download_all_mime_types system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10197 | 1 | Act | Downloadable File Types should be populated | File download restrictions should be applied to any untrusted user input sources. | Either update the value of the glide.ui.strict_customer_uploaded_content_types system property to the trusted file types OR insert this system property with a value of the trusted file types. | Documentation | |
| sn_SE10198 | 1 | Act | File extensions should be restricted | As MIME type verification depends on this property, it is recommended to mitigate against the vulnerabilities related to malicious file upload. | Either update the value of the glide.attachment.extensions system property to the trusted file extensions OR insert this system property with a value of the trusted file extensions. | Documentation | |
| sn_SE10199 | 1 | Act | Upload MIME Type should be validated | To reduce vulnerabilities such as file inclusion and malicious file uploads, MIME type verification should be followed. | Either update the value of the glide.security.file.mime_type.validation system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10200 | 1 | Act | Unauthenticated Access to Attachments should be restricted | Restriction needs to be applied for unauthenticated users as some attachment might contain sensitive information. | Either update the value of the glide.image_provider.security_enabled system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10201 | 1 | Act | HTTP Session Identifiers should be on rotation | SessionID is used to process and authenticate the instance user by maintaining the session state on the browser. Thus, SessionID is deemed sensitive data and should be secure by default. Session Rotation is a security control to enforce alteration of sessionID whenever the user navigates from un-authenticated page(s) to authenticate page(s). | Either update the value of the glide.ui.rotate_sessions system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10202 | 1 | Act | Secure Session Cookies should be enabled | Session cookies are sensitive data and should be properly formatted. It is always recommended to strictly validate the session cookie before serving the request. | Either update the value of the glide.ui.secure_cookies system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10203 | 1 | Act | Session Activity Timeout should be enabled | User sessions being active for indefinite amount of time is a security risk and should expire on a time-based configuration. | Either update the value of the glide.ui.session_timeout system property to 60 OR insert this system property with a value of 60. | Documentation | |
| sn_SE10204 | 1 | Act | Cookies HTTP Only should be enabled | Session Cookies on the application authenticate an end user and provide implicit access permissions on the application, and thus there is a need to secure them from being stolen or exported. HTTP Only flags would protect the session cookies from being stolen by JavaScript injections or Cross Site scripting vulnerabilities. | Either update the value of the glide.cookies.http_only system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10205 | 1 | Act | Anti-CSRF Token should be enabled | Cross site Request Forgery is a significant security risk that violates the integrity of the instance data. An attacker can launch the CSRF attack on any instance user by abusing the application's trust on the instance user. With the help of social engineering attacks, a user can submit a malformed request on behalf of the attacker on the instance. | Either update the value of the glide.security.use_csrf_token system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10206 | 1 | Suggest | Optional: CSRF Strict Validation should be enabled | Cross site Request Forgery is a significant security risk that violates the integrity of the instance data. An attacker can launch the CSRF attack on any instance user by abusing the application's trust on the instance user. With the help of social engineering attacks, a user can submit a malformed request on behalf of the attacker on the instance. | Either update the value of the glide.security.csrf.strict.validation.mode system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10207 | 1 | Act | Certificate Trust should be disabled | For confidentiality and integrity reasons, application should validate the certificate's CA before using the certificate for any transactional operations. | Either update the value of the com.glide.communications.trustmanager_trust_all system property to false OR insert this system property with a value of false. | Documentation | |
| sn_SE10208 | 1 | Act | SSLv2/SSLv3 should be disabled | Due to a number of Client side attacks such as BEAST, SSL heart-bleed etc., legacy versions of SSL were proven to be insecure when utilized for HTTP secure shell implementation. | Either update the value of the glide.outbound.sslv3.disabled system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10209 | 1 | Act | Relative Links should be enforced | Absolute URLs can pose a security risk when being used as a part of parameter or a field value, and thus redirecting the source page to an adversary controlled website. | Either update the value of the glide.cms.catalog_uri_relative system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10210 | 1 | Act | X-Frame-Options: SAMEORIGIN should be enabled | "Same Origin policy" allows to restrict a domain from retrieving a script or a resource from another domains. All modern browsers support this functionality. The policy validates the connection based on protocol, port and host. CORS (Cross Origin Request) is a slight modification to "Same Origin Policy" that allows access to resources/scripts from another domain when explicitly stated as a part of header value. In the current case, X-Frame-Options header controls whether or not ServiceNow application can be rendered on the 3rd party website, and thus to reduce sensitive exposure the property value when set to "SAMEORIGIN" doesn't allow the rendering to happen. | Either update the value of the glide.set_x_frame_options system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10211 | 1 | Act | Managing Failed Login Attempts should be configured | A logging and auditing strategy should be applied so that suspicious activity can be identified and acted upon in a timely manner. | Activate the SNC User related Script Actions. | Documentation | |
| sn_SE10212 | 1 | Act | SQL error message rendering should be disabled | No sensitive SQL information should be allowed to display as a part of error message on a webpage that could help an attacker. | Either update the value of the glide.db.loguser system property to false OR delete this system property. | Documentation | |
| sn_SE10213 | 1 | Act | Mobile UI Obfuscation should be enabled | A compromised (jailbroken) device would allow an attacker to have full access to the file system and thus will be able to access those files/snapshots with sensitive information embedded in them . | Either update the value of the glide.ui.m.blur_ui_when_backgrounded system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10214 | 1 | Suggest | URL Allow list For Logout Redirects | Client side open redirection can enable attacker to redirect victims/users to attacker controlled website and is viewed as a security risk. | Either update the value of the glide.security.url.whitelist system property to include whitelisted URLs OR insert this system property with a value of the whitelisted URLs. | Documentation | |
| sn_SE10215 | 1 | Suggest | Optional: Entity Validation should be disabled | An attacker can leverage this to expand data exponentially, quickly consuming all system resources. | Either update the value of the glide.stax.allow_entity_resolution system property to false OR insert this system property with a value of false. | Documentation | |
| sn_SE10216 | 1 | Suggest | Email Domain restrictions should be configured | If the property is not enabled, an attacker might using email spoofing/spamming campaign to send number of emails that might end up creating more number of unnecessary guest users. | Either update the value of the glide.user.trusted_domain system property to include trusted domains OR insert this system property with a value of the trusted domains. | Documentation | |
| sn_SE10237 | 1 | Recommend | Unaffiliated credentials should be removed | Unused credentials could be used to spoof accounts in hacking attempts | Either apply the credential, or delete the unused record. | Documentation | |
| sn_SE10248 | 1 | Act | Cross Scope Privileges in requested status should be reviewed | Possibility for bugs in the application resulting in inaccurate data and/or poor user experience. | Review the Cross Scope Privilege record to determine whether to allow or deny the operation requested. | Documentation | |
| sn_SE10266 | 1 | Act | Default password should not be set to "password" | Unnecessary security risk of an attacker gaining access to the system. | Update the value of the glide.user.default_password property to have a more complex password include lower case letters, upper case letters, a number, and a special character. | Documentation | |
| sn_SE10277 | 1 | Act | Enforce Strict User Image Upload | When this property is set to false, ACLs are not enforced on image uploads to the Photo field and open the possibility of an unauthorized user uploading an image to another user's profile. | Set the "glide.security.strict.user_image_upload" system property to true. | Documentation | |
| sn_SE10278 | 1 | Act | Restrict Access to Emails with Empty Target Table | Users may have access to view unintended emails. | Set the "glide.email.email_with_no_target_visible_to_all" system property to false. | Documentation | |
| sn_SE10279 | 1 | Suggest | Entity Expansion Threshold should be set to 3000. | An attacker can leverage this to expand data exponentially, quickly consuming all system resources. | The glide.xmlutil.max_entity_expansion system_property should have a minimum value of 3000. | Documentation | |
| sn_SE10280 | 1 | Act | Email Spam Scoring and Filtering plugin should be enabled | Email filters enable administrators to specify when to move email to particular mailboxes or to ignore it using a condition builder or a condition script. The is particularly useful while receiving malicious email from known/unknown sender. | Activate the Email Spam Scoring and Filtering (com.___PARM_0___) plugin. | Documentation | |
| sn_SE10281 | 1 | Act | XML External Entity Processing - Whitelist should be configured | An attacker can use the DTD may include arbitrary HTTP requests that the server may execute. | Set the value to the list of URLs that can be accessed by XML Entity processing. This is used to allow access to a list of comma-delimited FQDN, if needed. These will be the only URLs that can be reached via XML Entity processing. Note : An Entity SYSTEM ID must start with either "http:" or "https:" or it will automatically be blocked. When the allow list is enabled the PUBLIC form of an external entity definition is required. | Documentation | |
| sn_SE10282 | 1 | Act | Entity expansion should be disabled | An attacker can leverage this to expand data exponentially, quickly consuming all system resources resulting in a Billion Laugh attack. | Ensure the property "glide.xml.entity.whitelist" is set to "http://java.sun.com/j2ee/dtds/" and the property "glide.xml.entity.whitelist.enabled" is set to "true". | Documentation | |
| sn_SE10284 | 1 | Act | Openframe origin validation should be enabled | Without proper origin validation, any webpage or script can control the event handler. | Set the value to true to enable origin checking. Once this property is set to true, any allow-listed domains will need to be added to the glide.ui.concourse.onmessage_enforce_same_origin_whitelist system property. | Documentation | |
| sn_SE10285 | 1 | Suggest | Set a maximum cap for user sessions to expire | User sessions being active for indefinite amount of time is a security risk and should expire on a time-based configuration. | Set the glide.ui.user_cookie.max_life_span_in_days system property to 30. | Documentation | |
| sn_SE10287 | 1 | Act | The default Cache-Control value should be set to Private | Instances with CDN/proxies may cache static content and render without authentication. | Set the glide.http.cache_control system property to private. | Documentation | |
| sn_SE10295 | 1 | Recommend | Reports should typically not be made public | Unauthenticated users may see classified data. | Share reports through Roles, Users, and/or Groups rather than have them be accessible by any user. To make a report available only to logged-in users, set its Sharing setting to Everyone, but do not publish it. List reports are excluded from this definition as they always apply table-level security (ACLs). | Documentation | |
| sn_SE10314 | 1 | Recommend | Domain Separated: Users with cross-domain visibility | Users can be exposed to the data of another domain. | Instead of using "visibility domains" it is best to use "contains domains" for more robust control. | Documentation | |
| sn_SE10432 | 1 | Recommend | Portal pages should typically not be made public | Unauthenticated users may see classified data. | Set the Public field to false and ensure access is limited to the required audience only. | Documentation | |
| sn_SE10433 | 1 | Suggest | Review public UI Pages | Unauthenticated users may see classified data. | Set the Active field to false and ensure access is limited to the required audience only. | Documentation | |
| sn_SE10434 | 1 | Recommend | HR Lifecycle Event: Altering the "Assignable by" field | Changes to the "Assignable by" field on these HR Roles can pose a security risk as it could allow inexperienced or malicious users to access classified HR data. | Ensure that these HR Roles are only "Assignable by" the sn_hr_le.admin or sn_hr_le.activity_set_manager role. Reverting these records to baseline will resolve these Findings. | Documentation | |
| sn_SE10435 | 1 | Recommend | HR Core: Altering the "Assignable by" field | Changes to the "Assignable by" field can pose a security risk as it could allow inexperienced or malicious users to access classified HR data. | Ensure that the "Assignable by" field on these records is set as provided when this plugin was activated. Reverting these records to baseline would resolve these Findings. | Documentation | |
| sn_SE10436 | 1 | Act | Planned Start and End Dates for Change records should be protected through ACLs | Users can update the Planned Start and End Date fields from the list view if there are not ACLs protecting these fields. Changed dates may cause confusion among different users. | Create an ACL rather than a UI Policy to secure the Planned Start and End Date fields. | Documentation | |
| sn_SE10437 | 1 | Act | Mobile devices should restrict copy/paste | A compromised (jailbroken) device would allow an attacker to have full access to the clipboard and thus will be able to access the sensitive information embedded within the clipboard. | Set the property "glide.sg.clear_pasteboard_when_backgrounded" to true. | Documentation | |
| sn_SE10438 | 1 | Recommend | Default value of the user lockout duration should be 1440 minutes | Setting this property to a shorter value may allow hackers to resume their attacks after just a short time. | Set the value of the property "password_reset.request.max_attempt_window" to 1440 (in minutes). | Documentation | |
| sn_SE10439 | 1 | Act | Optional: Automatic User Creation should be enabled | Users outside of your organization can create incident records. | Set the property "glide.pop3readerjob.create_caller" to false. When false, the instance will run inbound actions from users who do not match an existing user by impersonating the guest user. Review your existing user records to reconcile any that contain identical email addresses. If you activate the plugin prior to reconciling email addresses, your instance cannot distinguish between users with identical email addresses and randomly selects one of the users with the matching email address. | Documentation | |
| sn_SE10440 | 1 | Act | Google re-CAPTCHA on the self-registration page should be enabled | Increased spam through the self-registration page. | Set the property "sn_ext_usr_reg.captchaEnabled" to true. | Documentation | |
| sn_SE10441 | 1 | Act | Antivirus Protection Scanning should be enabled | Increased threat of virus infections from file attachments. | Set the property "com.___PARM_0___" to true. | Documentation | |
| sn_SE10442 | 1 | Act | System property "glide.pop3.process_locked_out" should not be enabled | Allows locked-out or untrusted users to reset their password and send emails to the instance | Set the property "glide.pop3.process_locked_out" to false. | Documentation | |
| sn_SE10443 | 1 | Act | Increased number of unsuccessful password reset attempts | Setting this property to a greater value may allow hackers multiple attempts to log in. | Set the value of the property "password_reset.request.max_attempt" to 3 password attempts. | Documentation | |
| sn_SE10444 | 1 | Recommend | Integration accounts assigned the Admin role | Integration accounts with administrative access serve as potential security threats. | Ensure that Integration account users are not assigned the admin role. Alternative approaches would be to grant access to the actual tables and records needed. Import Admin is also sufficient to process Import Sets. Care should be taken to not implement scheduled jobs using the admin role. | Documentation | |
| sn_SE10446 | 1 | Recommend | PA breakdown visibility to roles | Users may view data that is not relevant to them. | Unselect "Visible by all roles" and select the specific roles that are required to access the breakdown. | Documentation | |
| sn_SE10447 | 1 | Act | Remove the Campaign Admin role from IT System Administrator role | IT System Administrators could view sensitive HR data. | As an Admin user, navigate to the sys_user_role_contains table, then select the "admin" role record. From the "Contains Roles" related list, remove sn_ca.campaign_admin. Ensure that you have at least two users with that role already. | Documentation | |
| sn_SE10448 | 1 | Act | Remove the Content Delivery Admin role from IT System Administrator role | IT System Administrators could view sensitive HR data. | As an Admin user, navigate to the sys_user_role_contains table, then select the "admin" role record. From the "Contains Roles" related list, remove sn_cd.content_admin. Ensure that you have at least two users with that role already. | Documentation | |
| sn_SE10449 | 1 | Act | Remove the Employee Document Management Admin role from IT System Administrator role | IT System Administrators could view sensitive HR data. | As an Admin user, navigate to the sys_user_role_contains table, then select the "admin" role record. From the "Contains Roles" related list, remove sn_hr_ef.admin. Ensure that you have at least two users with that role already. | Documentation | |
| sn_SE10450 | 1 | Recommend | App PINs for the mobile app should be enabled | Any user could access the mobile application when PINs aren't required. | Set the property "glide.sg.require_mobile_application_pin" to true. | Documentation | |
| sn_SE10452 | 1 | Recommend | Service Portal resources should define roles to restrict access | A breach of data could take place if access control using Roles is not correctly configured on Service Portal Pages and Widgets. | For Service Portal resources that are not public, there should be a list of roles configured to restrict access. Only pages and widgets that do not require access control should be public or have no roles defined. | Documentation | |
| sn_SE10455 | 1 | Act | Record Producers should have defined roles to restrict access | Record Producers are viewable by all users, no matter their roles. | Either set the system property "glide.sc.use_user_criteria" to true or navigate to the Accessibility tab within a Record Producer and ensure roles are defined. | Documentation | |
| sn_SE10457 | 1 | Suggest | The maximum number of recipients listed on a single email notification should be limited to 100 | Duplicated email notifications will be created to address those who exceed the 100 recipient limit. | Set the property "glide.email.smtp.max_recipients" to a value less than or equal to 100. | Documentation | |
| sn_SE10460 | 1 | Recommend | Users with Alumni in their HR profile still marked as active | Users who have left the company may still have access to the instance. | Deactivate the user account of the users with the "sn_hr_core.hrsm_alumni" role assigned. | Documentation | |
| sn_SE10461 | 1 | Suggest | Web service access only users should not have elevated access | May serve as a potential point of compromise if elevated access is provided to such users. | Remove elevated access roles from the web service access only user. | Documentation | |
| sn_SE10462 | 1 | Suggest | Access controls on Tables | Without access controls, any user would be able to access tables they should not have access to. | Elevate to the Security Admin role, then navigate to System Security > Access Control and create a new ACL. | Documentation | |
| sn_SE10463 | 1 | Act | Remove the HR core admin and LE Admin roles from the Admin role | Only users with the HR Administrator [sn_hr_core.admin] and LE Administrator [sn_hr_le.admin] have access to the HR data with sensitive information. | After system configuration, remove the HR Administrator role from the Admin role to prevent admins from viewing sensitive HR information. This will ensure that only the HR Administrator [sn_hr_core.admin] has access to the sensitive information. | Documentation | |
| sn_SE10466 | 1 | Recommend | Unintentional Cross Scope privileges | Peventing unauthorized access to scope application | Investigate each Cross Scope privilege and identify whether this is really needed as part of the application. If not, remove the privilege and regression test to ensure that behavior is as expected. | Documentation | |
| sn_SE10468 | 1 | Act | External users should not have access to the sys_audit table. | External users can access system audit table and view potentially confidential data. | System tables usually are not needed to be accessed by all internal and external users and can be restricted to the groups needed. | Documentation | |
| sn_SE10469 | 1 | Act | Do not deactivate or delete the "Assign HR Roles" business rule | The BR will prevent security issues by automatically granting or removing access to HR portal based on employment type and start/end date. | Set the business rule "Assign HR Roles" to Active. | /api/now/v1/context_doc_url/CSHelp:client-role-assignment-rules | |
| sn_SE10470 | 1 | Recommend | Grant the HR Administrator with Delegated Developer for HR Scope Application | To prevent unintended access to HR sensitive information of IT System Adminstrator by assigning delegated developer to HR Core scope. | Assign a Delegated Developer role to the HR Core Scope. | Documentation | |
| sn_SE10471 | 1 | Act | HR Tables not excluded from cloning on Production | HR data with sensitive information could be cloned down into sub-production instances. | Create exclusions for HR tables in your production instance. | Documentation | |
| sn_SE10472 | 1 | Recommend | Not using the appropriate user account for Vulnerability integrations | Using an inappropriate user account may lead to security vulnerabilities. | Use the VR System account as the RunAs user for scheduled script executions and scheduled data imports. | Documentation | |
| sn_SE10473 | 1 | Act | Number of users with high privilege roles | Having more than 10 users with high-privilege roles increases the chance of a security leak. | Make sure that all high-privilege roles do not have more than 10 users assigned. | Documentation | |
| sn_SE10474 | 1 | Recommend | Report shared with a role that does not exist | Reports shared with a role that does not exist might lead to unforeseen behavior. | Remove the invalid role by editing the report, then share the report with valid roles. | Documentation | |
| sn_SE10475 | 1 | Suggest | Use the dedicated integration user to run actions in place of the default | Authentication is required for all SOAP requests including internal integration when WS-Security is enabled. Communication requests may be blocked when a MID Server or ODBC Driver user account user is not set as an internal integration user. | Check the internal_integration_user field for the MID Server or ODBC Driver user account. | Documentation | |
| sn_SE10476 | 1 | Act | System Audit table access for all external users | Users may have unnecessary access to system tables. | System tables usually are not needed to be accessed by all internal and external users and can be restricted to the groups needed. | Documentation | |
| sn_SE10478 | 1 | Act | Remove the Security Incident Admin Role from the Admin role | Only users with the Security Incident Admin role should have access to Security Incident data with sensitive information. | After system configuration, remove the Security Incident Administrator role from the Admin role to prevent admins from viewing sensitive Security Incident information. This will ensure that only the Security Incident Administrator [sn_si.admin] has access to the sensitive information. | Documentation | |
| sn_SE10479 | 1 | Act | Use RCA to secure HR Core | Server-side queries may be run against HR data or tables to access sensitive information. | It is recommended to utilize the Restricted Caller Access (ID: com.___PARM_0___) plugin when using the Human Resources Core Application (ID:com.sn_hr_core). | Documentation | |
| sn_SE10480 | 1 | Suggest | Baseline CISO Role has write access | Senior leadership users who not require write access to Security Incident records would be able to edit such records. | Discuss whether or not senior leadership users actually require the ability to edit / write to Security Incident records. Consider de-coupling the "sn_si.basic" role from "sn_si.ciso" if senior leadership does not require write / edit permissions on Security Incident records. | Documentation | |
| sn_SE10483 | 1 | Act | Security Incident assignment groups are missing a type attribute | The users in these groups would not be able to have any security incidents assigned to them. | Groups that currently have role "sn_si.analyst" assigned to them should have the Type attribute defined as "Security Incident". | Documentation | |
| sn_SE10491 | 1 | Recommend | API calls to Security Incident Response should use accounts with the "sn_si.integration_user" role | Using an inappropriate user account may lead to security vulnerabilities. | Consider adding the "sn_si.integration_user" role to each user account accessing the Security Incident [sn_si_incident] table via API. | /api/now/v1/context_doc_url/CSHelp:components-installed-sir | |
| sn_SE10492 | 1 | Recommend | Enable Report ACL | If Report View ACLs are left disabled, users may have access to report data that they should not. | Report View ACLs provide control over who can view reports protected by the Report View ACL. | Documentation | |
| sn_SE10493 | 1 | Recommend | Multiple encryption keys in existence | Older keys might be removed, and the record information will be encrypted with no possibility to decrypt. | Rotate and encrypt new keys to ensure that no old records exist with old keys. | Documentation | |
| sn_SE10494 | 1 | Recommend | Knowledge Base and articles are public | All users would have access to knowledge bases and articles | Make sure to define user criteria for Knowledge Base and articles. | Documentation | |
| sn_SE10522 | 1 | Recommend | Scripted REST resource without enabled security | Making your APIs public is not suggested because doing so allows the public access to update data in the instance. | To require authorization, select the Requires Authentication checkbox and then select the Requires ACL authorization check box. Finally select an ACL record(s). Leave the ACL field blank to enforce the Default ACLs from the parent API. Access is granted if at least one matching ACL record is found. | Documentation | |
| sn_SE10523 | 1 | Recommend | Enable IP Range Based Authentication | Unauthorized users may be able to access your instance. |
|
Documentation | |
| sn_SE10534 | 1 | Act | Tracked Configuration Files may be exposing passwords, API tokens, and secret keys | Users with the itil role may have unathenticated access to passwords, API tokens, and secret keys. | Review the tracked config files by navigating to the cmdb_ci_config_file_tracked table and confirming that secure information is present. Either control access to this table through ACL's or reimplement your applications to make use of password vault applications so that no secure credential information is stored in clear text. | Documentation | |
| sn_SE10541 | 1 | Act | ACL defined without role, script, and condition | Your data could potentially be exposed as the default behavior when role , security attrubute , script, and conditions are empty is to allow unauthenticated access. | Review the ACL and add the appropriate roles, security attributes, conditions, or scripting. If the ACL should remain as is, at a minimum, add the following to the ACL script to ensure only authenticated users may access the data: answer = gs.getSession().isLoggedIn;. | Documentation | |
| sn_SE10585 | 1 | Recommend | Potential Misconfiguration of Knowledge Base User Criteria | Users may receive unintended and unauthenticated access to your KB articles. | Create the system property glide.knowman.block_access_with_no_user_criteria and set the value to true. | Documentation | |
| sn_SE10594 | 1 | Recommend | Block access to non-public Knowledge Bases for unauthenticated users | Potential loss of confidential or PII information | Either update the value of the glide.knowman.block_access_with_no_user_criteria system property to true OR insert this system property with a value of true. | Documentation | |
| sn_SE10639 | 1 | Recommend | Any users encapsulated within a KB's 'Can Contribute' list have the ability to read all of the KB's | Users may receive unintended and unauthenticated access to your KB articles. | Create the system property glide.knowman.apply_article_read_criteria and set the value to true. | Documentation | |
| sn_SE10640 | 1 | Recommend | Defines a list of roles that can view KB articles that are in a 'Draft State' | Users may receive unintended and unauthenticated access to your KB articles. | Create the system property glide.knowman.section.view_roles.draft and set the value to admin, knowledge_admin. | Documentation | |
| sn_SE10641 | 1 | Recommend | All users within the defined roles have the ability to view articles that exist in a custom state. | Users may receive unintended and unauthenticated access to your KB articles. | Create the system property glide.knowman.section.view_roles.stagesAndRoles and set the value to admin, knowledge_admin. | Documentation | |
| sn_SE10642 | 1 | Recommend | Show unpublished articles | Users may view KB articles that are not yet published. | Create the system property glide.knowman.show_unpublished and set the value to false. | Documentation | |
| sn_SE10643 | 1 | Act | The ACL checks user authentication and references a system property to allow or deny access based on | Allowing unauthenticated access could expose the organization to data breaches, regulatory non-compliance, and security risks. | Ensure the glide.security.allow_unauth_roleless_acl system property is set to false to prevent unauthenticated access. | Documentation | |
| sn_SE10644 | 1 | Recommend | Defines a list of roles that can view KB articles that are in a 'Review' state | Users may receive unintended and unauthenticated access to your KB articles. | Create the system property glide.knowman.section.view_roles.review and set the value to admin,knowledge_admin,knowledge,itil. | Documentation | |
| sn_SE10645 | 1 | Recommend | Inactive OOB Business Rule(s) to Prevent Unauthenticated Access By Default | Users may receive unintended and unauthenticated access to your KB articles. | Search for business rule Restrict guest user to knowledge base with SysId 6c8ec5147711111016f35c207b5a9969 and set active field to true. | Documentation |