- Date: 26 June 2023
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- Discovered by: Bipin Jitiya (@win3zz)
[REDACTED], Inc., uses ServiceNow with an instance named "[REDACTED]" accessible at https://[REDACTED].service-now.com/. Upon reviewing this instance, I observed that it is not sufficiently hardened for security, and some endpoints are exposing sensitive information. The following three endpoints, designed for performance monitoring, logging, and troubleshooting purposes, are accessible without authentication: