Pega continually works to implement security controls designed to protect client environments. With this focus, Pega has issued patch releases and a hotfix for one medium security vulnerability in Pega Platform. This issue can only be exploited by users with Pega Developer access. We would like to acknowledge Konrad Zbylut for finding this vulnerability.
|
Advisory |
Description |
Impact |
Remediation |
|
E24 |
Cross Site Scripting (XSS) vulnerability
|
Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it. In this scenario only an authorized Pega user with developer access can carry out this attack.
|
8.8.5 hotfix (Initially reported by a client on 8.8.5 and a hotfix was provided as a courtesy.)
23.1.4 Patch Release 24.1.2 Patch Release 24.2.1 Patch Release
|
We are not aware of any of our clients being compromised as a result of this vulnerability.
The remediation for these issues will be included as part of the product in the patch releases of the Pega Platform listed above. A hotfix for Pega Platform 8.8.5 is available as described below.
We will not provide hotfixes on other prior versions of the Pega Platform, nor will we provide steps as part of a local change.
If you are a Pega Cloud® client, your Pega Cloud environments, running the relevant Pega versions listed in the table below, are being proactively remediated by Pega. Cloud Maintenance (CM) cases are being created for each of your environments and will provide the schedule of when the hotfixes will be applied.
If you are a United States Pega Cloud for Government (PCFG) client, Cloud Change (CC) cases are being created for the relevant hotfix, which will be applied by Pega.
If you are an on–premises or client managed cloud client, please review the table below to determine which hotfixes correspond to your Pegasystems installation.
Once you have determined the appropriate hotfix IDs, you can now download your hotfix directly from My Security Hotfixes on My Pega. This facility enables self-service access to security hotfixes, without the need to raise a support ticket.
As always, be sure you have appropriate backups in place before applying the hotfix.
Information regarding the availability of the remediations will be publicly posted on Pega Support Center on December 5, 2024. In order to give all Pega clients time to patch their systems, we request that clients not discuss this in public forums until after it’s been publicly posted.
As always, we recommend our clients review our Security Checklist regularly.
Hotfixes
A hotfix is being created only for the 8.8.5 patch release. We will not provide hotfixes on prior versions of Pega Platform.
As a best practice, you should update your Pega environment to the latest release to take advantage of the latest features, capabilities, security and bug fixes. For more details please review Keeping Current with Pega.
|
Pega Platform Version |
Reflected XSS issue with Search |
|
8.8.5 |
HFIX-B2741 |
A restart is not needed after installing the hotfix.
Dates for upcoming patch releases can be found here: Pega Infinity Patch Calendar.
CVE Details
|
CVE Details |
Reflected XSS issue with Search |
|
Software/Product |
Pega Platform |
|
Affected Version(s) |
From 8.1 to 24.2.0 |
|
CVE ID |
CVE-2024-10716 |
|
CVSS Rating |
Medium – 5.9 |
|
Description |
Reflected Cross Site Script (XSS) vulnerability |
If you have any questions or concerns, please raise a Support ticket with Global Client Support in My Support Portal for assistance.