A security researcher has used a vulnerability in Servicena’s cloud service to exploit a bug in the browser’s security framework.
The exploit relies on a Servicene security feature that allows the browser to inject arbitrary code into the browser when a user attempts to login.
“We are not aware of any exploits of this feature,” the company told SecurityWeek.
It said the vulnerability was “implemented in Serviceenow.com, and was present in the default web browser and the latest version of the Servicenic web browser, which is the version of Serviceena that is installed on most systems”.
The vulnerability was discovered by security researcher Ondrej Vyper of the Internet Security Research Group, who was able to exploit it by using a Serviceene web application to log in to an attacker-controlled system.
The vulnerability, he wrote in a blog post on Tuesday, allowed an attacker to remotely execute arbitrary code by accessing the browser, but only if the attacker had the right privileges on the compromised system.
Vyper’s blog post has since been pulled from the internet.
“Our team of experts and security researchers have been working to patch this vulnerability and it will be patched in the coming weeks,” it added.
However, it warned that the vulnerability could still be used to access websites which were not secured against this type of attack.
Servicenews.com has been in operation since 1999.
Servicena said it was not aware that it had been used to exploit the Servics vulnerabilities.
“Servicenes web application is an open source, fully tested and maintained software platform that offers a full suite of security and privacy features,” the statement said.
“The vulnerability we discovered allows attackers to bypass the sandbox, which means that users are able to compromise a system’s security in order to gain access to data.”