Question
Virtusa
IN
Last activity: 20 Feb 2025 7:22 EST
CKEditor -XSS Injection Security Issue in pega 8.8.3
We have reviewed the reference provided by Pega regarding the wrapper protection mechanism against injection attacks. While the wrapper appears to be in place, it does not seem to be functioning as expected. We have observed a successful XSS execution within CKEditor when a malicious payload was inserted. Below is a sample payload that bypassed the protection: <form><button formaction=javascript:alert(1)>CLICKME</button></form> Attached is the evidence demonstrating the XSS execution. Request for Justification: 1. Could you provide details on how Pega has implemented the wrapper code to protect against injection attacks? 2. Are there any recommended configurations or patches available to enhance security in CKEditor within Pega? 3. Is there a planned fix or workaround to mitigate this issue? Please advise on the next steps to address this security concern.
Updated: 20 Feb 2025 7:22 EST
Pegasystems Inc.
GB
@AnilKumarTechy All Security-related documentation can be found on the documentation server: Mitigating common security vulnerabilities.
Pega 8.8.3 is in Extended Support:
"Extended Support means clients should immediately update to the latest minor version to benefit from ongoing security and reliability improvements. Clients continue to receive support but need to update to the latest minor version to resolve non-production issues that they might experience."
You can always Review Security Advisories from the Important Links on the PSC.
@AnilKumarTechy All Security-related documentation can be found on the documentation server: Mitigating common security vulnerabilities.
Pega 8.8.3 is in Extended Support:
"Extended Support means clients should immediately update to the latest minor version to benefit from ongoing security and reliability improvements. Clients continue to receive support but need to update to the latest minor version to resolve non-production issues that they might experience."
You can always Review Security Advisories from the Important Links on the PSC.
If you are an on–premises or client managed cloud client, please review the available hotfixes on My Software --> My Security Hotfixes corresponding to your Pegasystems installation. Once you have determined the appropriate hotfix IDs, please submit hotfix requests using My Support Portal.
Information regarding the availability of any Security hotfixes will be publicly posted on Pega Support Center.
As always, we recommend our clients review our Security Checklist regularly.
As a best practice, you should update your Pega environment to the latest release to take advantage of the latest features, capabilities, and security and bug fixes. See Keeping current with Pega.
Regarding your questions:
- Wrapper Implementation: The CKEditor implementation in Pega includes a custom wrapper code that utilizes the JSoupParser Utility to clean RTE content. This wrapper is designed to:
- Remove script tags in iframes
- Clean potentially dangerous attributes (like onerror, onchange)
- Filter out malicious HTML content
- Maintain compliance with OWASP standards
- Available Security Measures: There is a specific hotfix available for this vulnerability:
- Hotfix ID: HFIX-A1614 (specifically for Pega 8.8.3)
- This hotfix addresses the XSS vulnerability related to editing/rendering user HTML content
- The fix has been officially documented in the Pega Security Advisory - I23 Vulnerability