ServiceNow through San Diego Patch 4b and Patch 6 contains a cross-site scripting vulnerability in the logout functionality, which can enable an unauthenticated remote attacker to execute arbitrary JavaScript.
View the template here CVE-2022-38463.yaml
References:
https://github.com/ARPSyndicate/cvemon