Pega continually works to implement security controls designed to protect client environments. With this focus, Pega was notified of 3 security vulnerabilities that are rated Medium on the CVSS scale. We would like to thank Reuben Seymour, Amber Hamlet and Skyler Knecht for finding these vulnerabilities.
Issue |
Description |
Impact |
E23 |
Cross Site Script (XSS) vulnerability |
Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.
Clients with internet-facing applications should update or apply the hotfix. Clients running their own infrastructure should consult their security teams.
This affects normal authenticated users. |
|
|
We are not aware of any of our clients being compromised as a result of this vulnerability.
The remediation for this issue will be included as part of the product in the 8.7.6, 8.8.4 patch release and the Infinity 23.1.1 release of the Pega Platform. Hotfixes are being created only for the latest patch releases in standard support (8.7.5 & 8.8.3, and Infinity 23.1.0). We will not provide hotfixes on prior versions of the platform, nor will we provide steps as part of a local change.
If you are a Pega Cloud ® client or a United States Pega Cloud for Government (PCFG) client, details are listed in your Client Advisory (CAD case) on next actions.
If you are an on–premises or client managed cloud client, please review the tables below to determine which hotfixes correspond to your Pegasystems installation. Once you have determined the appropriate hotfix IDs, please submit hotfix requests using My Support Portal. As always, be sure you have appropriate backups in place before applying the hotfixes.
As always, we recommend our clients review our Security Checklist regularly.
Please refer to your Client Advisory, [CAD-] case that was provided to your security and administrator contacts on Sept 21, 2023, in My Support Portal.
CVE Details
CVE Details |
Issue: XSS issue with task creation |
Issue: XSS issue with ad-hoc case creation |
Issue: XSS issue with Pin description |
Software/Product |
Pega Platform |
Pega Platform |
Pega Platform |
Affected Version(s) |
From 8.1 to Infinity 23.1.0 |
From 8.1 to Infinity 23.1.0 |
From 8.1 to 8.8.2 |
CVE ID |
CVE-2023-32087 |
CVE-2023-32088 |
CVE-2023-32089 |
CVSS Rating |
4.6 |
4.6 |
4.6 |
Description |
Cross Site Script (XSS) vulnerability |
Cross Site Script (XSS) vulnerability |
Cross Site Script (XSS) vulnerability |
Hotfix Details
Hotfixes have been created only for the latest patch releases in standard support (8.7.5 & 8.8.3, and Infinity 23.1.0). We will not provide hotfixes on prior versions of the platform, nor will we provide steps as part of a local change.
As a best practice, you should update your Pega environment to the latest release to take advantage of the latest features, capabilities, security and bug fixes. See Keeping current with Pega.
Version |
XSS issue with task creation |
XSS issue with ad-hoc case creation |
XSS issue with Pin description |
8.7.5 |
HFIX-A666 |
HFIX-A666 |
HFIX-A667 |
8.8.3 |
HFIX-A665 |
HFIX-A665 |
Fixed in release |
Inf 23.1.0 |
HFIX-A781 |
HFIX-A781 |
Fixed in release |
The fixes for these issues are contained in the upcoming patch releases: The 8.7.6 patch release was made available on Sept 29. 2023. The 8.8.4 patch release is targeted for the end of Oct. 2023. The Infinity 23.1.0 release was made available on Sept. 13, 2023. The Infinity 23.1.1 release is targeted for Nov. 2023. https://support.pega.com/pega-infinity-patch-calendar
In addition, please review the following article regarding preventing risk of XSS attack when specifying Label controls: https://support.pega.com/support-doc/preventing-risk-xss-attack-when-specifying-label-controls-sdr-a71