Support Center

Security Advisory

BrendanHoran

Member since 2011

99 posts

PEGA

Posted: Sep 5, 2023

Last activity: Dec 6, 2023

Posted: 5 Sep 2023 13:48 EDT
Last activity: 6 Dec 2023 7:07 EST

Closed

Pega Security Advisory – D23 Vulnerability - Remediation Note

Pega continually works to implement security controls designed to protect client environments. With this focus, Pega has recently identified a security vulnerability that is rated Medium on the CVSS scale. We would like to thank Iulian Florea at KPMG Romania for finding this vulnerability.

Issue	Description	Impact
D23	HTML Injection vulnerability	HTML Injection is an attack that is similar to Cross-site Scripting (XSS). While in the XSS vulnerability the attacker can inject and execute Javascript code, the HTML injection attack only allows the injection of certain HTML tags. Attackers often initiate an HTML Injection attack by sending a malicious link to a user and enticing the user to click it.      Clients with internet-facing applications should update or apply the hotfix.  Clients running their own infrastructure should consult their security teams.

Issue

Description

Impact

D23

HTML Injection vulnerability 

HTML Injection is an attack that is similar to Cross-site Scripting (XSS). While in the XSS vulnerability the attacker can inject and execute Javascript code, the HTML injection attack only allows the injection of certain HTML tags. Attackers often initiate an HTML Injection attack by sending a malicious link to a user and enticing the user to click it.   

Clients with internet-facing applications should update or apply the hotfix.  Clients running their own infrastructure should consult their security teams.

We are not aware of any of our clients being compromised as a result of this vulnerability.

The remediation for this issue will be included as part of the product in the 8.7.6 and 8.8.4 patch releases and the Infinity 23 release of the Pega Platform. A hotfix for 8.7.5 and 8.8.3 is available as described below. Hotfixes will not be provided for earlier versions.

It is very important to keep your Pega systems current on the latest patch releases.

The hotfix remediation is detailed in your Client Advisory, [CAD-] case that was provided to your security and administrator contacts on Tuesday 8th Aug, 2023, in My Support Portal. 

 CVE Details

CVE Details	D23
Software/Product	Pega Platform
Affected Version(s)	From 7.1 to 8.8.3
CVE ID	CVE-2023-4843
CVSS Rating	4.3
Description	Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user.

Hotfix Details

Hotfix Version	Hotfix ID
8.7.5	HFIX-A459
8.8.3	HFIX-A418

A restart is NOT needed for this hotfix.

To see attachments, please log in.

Pega Platform

Security

Security Advisory

Did you find this content helpful?

Yes

Want to help us improve this content?
Send Feedback

Like (0)
Share this page Facebook Twitter LinkedIn Email Copying... Copied!

Security Advisory

Pega Security Advisory – D23 Vulnerability - Remediation Note

Need help or want to help others?

Experience the benefits of Support Center when you log in.

Security Advisory

Pega Security Advisory – D23 Vulnerability - Remediation Note

Related content:

Need help or want to help others?

Experience the benefits of Support Center when you log in.

We'd prefer it if you saw us at our best.