Pega continually works to implement security controls designed to protect client environments. With this focus, Pega has issued patch releases / hotfixes for 1 medium security vulnerability in Pega Platform. We would like to thank Tomasz Stachowicz for finding this vulnerability.
|
Advisory |
Description |
Impact |
|---|---|---|
|
H23 |
Cross Site Script (XSS) vulnerability |
Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.
Clients with internet-facing applications should update or apply the hotfix. Clients running their own infrastructure should consult their security teams.
|
|
|
|
We are not aware of any of our clients being compromised as a result of this vulnerability. Pega will be issuing a public CVE associated with it.
The remediation for this issue is already included as part of the product in the 8.7.6, 8.8.4 patch release and the Infinity 23.1.0 release of the Pega Platform. This issue was initially reported by clients on versions 8.7.4 and 8.8.3 and hotfixes were provided for those two instances. We will not provide hotfixes on other prior versions of the platform.
If you are a Pega Cloud client, your Pega Cloud® environments running the relevant Pega versions listed in the table below, are being proactively remediated by Pega. Cloud Maintenance [ CM ] cases are being created for each of your environments which provides the schedule of when the hotfixes will be applied.
If you are a United States Pega Cloud for Government (PCFG) client, Service Request [ SR ] cases are being created which will provide the relevant hotfixes for you to apply to your PCFG environments.
If you are an on–premises or client managed cloud client, please review the tables below to determine which hotfixes correspond to your Pegasystems installation. Once you have determined the appropriate hotfix IDs, please submit hotfix requests using My Support Portal. As always, be sure you have appropriate backups in place before applying the hotfixes.
As always, we recommend our clients review our Security Checklist regularly.
CVE Details:
|
CVE Details |
XSS issue with redirect script |
|---|---|
|
Software/Product |
Pega Platform |
|
Affected Version(s) |
From 8.5.4 to 8.8.3 |
|
CVE ID |
CVE-2023-50166 |
|
CVSS Rating |
6.1 |
|
Description |
Cross Site Script (XSS) vulnerability |
Hotfixes:
Hotfixes exist as noted above for the following releases in standard support (8.7.4 & 8.8.3). We will not provide hotfixes on other prior versions of the platform.
As a best practice, you should update your Pega environment to the latest release to take advantage of the latest features, capabilities, and security and bug fixes. See Keeping current with Pega.
|
Version |
Hotfix |
|---|---|
|
8.7.4 |
HFIX-A203 |
|
8.8.3 |
HFIX-A170 |
