Pega continually works to implement security controls designed to protect client environments. With this focus, Pega has recently identified a security vulnerability that is rated High on the CVSS scale. We would like to thank Maciej Piechota and Adam Simuntis from SECFORCE for finding this vulnerability.
Issue | Description | Impact |
---|---|---|
A23 | Reflected Cross Site Script (XSS) vulnerability |
Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it. Clients with internet-facing applications should update or apply the local change. Clients running their own infrastructure should consult their security teams. |
We are not aware of any of our clients being compromised as a result of this vulnerability.
For all clients, guidance is being provided to address the issue with a local change. The remediation for this issue will be included as part of the product in the 8.7.5 and 8.8.2 patch releases and the Infinity 23’ release of the Pega Platform.
It is very important to keep your Pega systems current on the latest patch releases. The local change remediation is detailed in your Client Advisory, [CAD-] case that was provided to your security and administrator contacts on Mar 2, 2023, in My Support Portal.
CVE Details
CVE Details |
A23 |
---|---|
Software/Product |
Pega Platform |
Affected Version(s) |
From 7.2 to 8.8.1 |
CVE ID |
CVE-2023-26465 |
CVSS Rating |
8.0 |
Description |
Reflected Cross-Site Script (XSS) vulnerability |