Github has issued a critical severity CVE-2024-47875 impacting the multiple versions of DOMPurify. Pega is making a hotfix and patches available for the latest affected patch releases. We strongly advise clients to apply the hotfix or patch releases Pega has made available.
This vulnerability can affect Pega clients running on releases 8.x through to 24.2.1 of Pega Infinity. We are not aware of any of our clients being compromised as a result of this vulnerability.
To prevent malicious actors from exploiting this vulnerability, Pega has created the following remediations which replace the potentially vulnerable DOM Purify module with a corrected version where GitHub has made one available. A hotfix is available for the latest affected patch release 8.8.5. All other versions are corrected in patch releases.
|
Advisory |
Description |
Impact |
Remediation |
|---|---|---|---|
|
DOMPurify Cross-Site Scripting - CVE-2024-47875 |
Cross-site Scripting (XSS) |
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3 of DOMPurify. |
8.8.5 hotfix 23.1.5 Patch Release (available) 24.1.3 Patch Release (available) 24.2.2 Patch Release (available) 25.1.0 Release (available) |
The remediation for this issue will be included as part of the product in the patch releases of the Pega Platform listed above.
If you are a Pega Cloud® client, your Pega Cloud environments running the relevant Pega releases listed in the table below, are being proactively remediated by Pega. Cloud Maintenance (CM) cases are being created for each of your environments and will provide the schedule of when the hotfixes will be applied. If you are not on a release with a solution provided, you need to upgrade as soon as possible.
If you are a United States Pega Cloud for Government (PCFG) client, Cloud Change (CC) cases are being created for the relevant hotfix, which will be applied by Pega. If you are not on a release with a solution provided, you need to upgrade as soon as possible.
If you are an on–premises or client managed cloud client, please review the tables below to determine which hotfixes correspond to your Pegasystems installation. Once you have determined the appropriate hotfix IDs, you can download your hotfix directly from My Security Hotfixes on My Pega.
As always, we recommend our clients review our Security Checklist regularly.
Hotfixes
A Hotfix is created for the latest affected patch release 8.8.5.
As a best practice, you should update your Pega environment to the latest release to take advantage of the latest features, capabilities, and security and bug fixes. See Keeping current with Pega.
|
Version |
Hotfix |
|---|---|
|
8.8.5 |
HFIX-C3083 |
A restart is NOT needed after installing the hotfix.
Dates for upcoming patch releases can be found here: Pega Infinity Patch Calendar.
CVE Details
|
CVE Details |
Issue: XSS with DOM Purify |
|---|---|
|
Software/Product |
DOM Purify |
|
Pega Infinity Affected Release(s) |
From 8.x to 24.2.1 |
|
CVE ID |
CVE-2024-47875 (DOM Purify) |
|
CVSS Rating |
Critical – 10 |
|
Description |
Cross-site Scripting (XSS) |
If you have any questions or concerns, please raise a Support ticket with Global Client Support in My Support Portal for assistance.