There exists an open redirect within the response list update functionality of ServiceNow. This allows attackers to redirect users to arbitrary domains when clicking on a URL within a service-now domain.
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1219857