Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 ORLANDO CABRERA (ORLANDOC16831657)
Sun Life

Sun Life
CA
ORLANDOC16831657 Member since 2023 2 posts
Sun Life
Posted: Jul 12, 2023
Last activity: Jul 17, 2023
Posted: 12 Jul 2023 8:26 EDT
Last activity: 17 Jul 2023 5:54 EDT
Closed

A23 Hotfix applied but stored XSS still an issue

Greetings,

Our PEGA has the A23 hotfix but one of our web page that allows user to enter note and message note is vulnerable to stored XSS attack.

I am not sure how the A23 works.

Do we need an extra steps on the pega web page to filter xss script?

Please advise.

***Edited by Moderator Marije to add Capability tags***
To see attachments, please log in.
Pega Platform
Security
Installation and Deployment

Posted: 2 years ago
Updated: 2 years ago
Posted: 12 Jul 2023 8:51 EDT
Updated: 13 Jul 2023 6:26 EDT
Marije Schillern (MarijeSchillern)
MOD
Senior Knowledge Management Specialist
Pegasystems Inc.
GB

@ORLANDOC16831657 are you able to locate the CAD (Client Advisory Support ticket) that would have been logged for your designated Security Contact or Account Administrator for your organization?  That ticket will have contained all the details.

A23 Security Vulnerability is a Reflected Cross-Site Scripting (XSS) vulnerability in Pega Platform. XSS attacks involve an attacker injecting malicious executable scripts into the code of a trusted application or website. The vulnerability has a CVSS rating of 8.0 and affects Pega Platform versions from 7.2 to 8.8.1. The remediation for this issue will be included in the 8.7.5 and 8.8.2 patch releases and the Infinity 23' release of the Pega Platform.

Clients with internet-facing applications should update or apply the local change provided in the Client Advisory case.  

Please locate your designated Security Contact who will have details of the workaround as listed in (I think...) CAD-18789  which you can look up in MSP.   Anyone who is an MSP user will be able to see the CAD… Note:  As its closed it’ll be in the "RESOLVED" list.

Please also check INC-265751 where there were some follow-on questions answered by our support team.

Please see Pega Security Advisory - A23 Vulnerability - Remediation Note

To see attachments, please log in.
Posted: 2 years ago
Updated: 2 years ago
Posted: 12 Jul 2023 9:45 EDT
Updated: 17 Jul 2023 5:54 EDT
Marije Schillern (MarijeSchillern)
MOD
Senior Knowledge Management Specialist
Pegasystems Inc.
GB

@ORLANDOC16831657   the A23 documentation is contained in the link I provided already.  Within that article are also the steps to prevent XSS.

As always, we recommend our clients review our Security Checklist regularly. 

Filtering HTML and XML outputs

xss

Confidentiality and industry security concerns prevent me from publishing the CAD-provided workaround on this public-facing domain.

Please locate your designated Security Contact who will have details of the workaround as listed in (I think...) CAD-18789  which you can look up in MSP.   Anyone who is an MSP user will be able to see the CAD… Note:  As it is in status closed it’ll be in the "RESOLVED" list.

Please also check INC-265751 where there were some follow-on questions answered by our support team.

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice