Pega continually works to implement security controls designed to protect client environments. With this focus, Pega has issued patch releases/hotfixes for 1 medium security vulnerability in Pega Platform. We would like to thank Tomasz Stachowicz for finding this vulnerability.
|
Advisory |
Description |
Impact |
Remediation |
|---|---|---|---|
|
I23 |
Cross Site Script (XSS) vulnerability |
Medium:
Clients with internet-facing applications should update or apply the hotfix. Clients running their own infrastructure should consult their security teams. |
8.3.6 Hotfix** 8.8.3 Hotfix** 8.8.4 hotfix 23.1.1 hotfix
8.8.5 Patch release 23.1.2 Patch release
**Initially reported by a client on 8.3.6 and 8.8.3 and a hotfix for each was provided as a courtesy. |
We are not aware of any of our clients being compromised as a result of this vulnerability.
We will not provide hotfixes on other prior versions of the platform, nor will we provide steps as part of a local change.
If you are a Pega Cloud client, your Pega Cloud® environments running the relevant Pega versions listed in the table below, are being proactively remediated by Pega. Cloud Maintenance (CM) cases are being created for each of your environments which provides the schedule of when the hotfixes will be applied.
If you are a United States Pega Cloud for Government (PCFG) client, Cloud Service Request (SR) cases are being created which will provide the relevant hotfixes for you to apply to your PCFG environments.
If you are an on–premises or client managed cloud client, please review the tables below to determine which hotfixes correspond to your Pegasystems installation. Once you have determined the appropriate hotfix IDs, please submit hotfix requests using My Support Portal. As always, be sure you have appropriate backups in place before applying the hotfixes.
As always, we recommend our clients review our Security Checklist regularly.
CVE Details
|
CVE Details |
XSS issue with editing/rendering user html content |
|---|---|
|
Software/Product |
Pega Platform |
|
Affected Version(s) |
From 7.1.7 to 23.1.1 |
|
CVE ID |
CVE-2023-50167 |
|
CVSS Rating |
5.4 |
|
Description |
Cross Site Script (XSS) vulnerability |
Hotfixes
Hotfixes exist, as noted above, for the following releases in standard support (8.8.4 & 23.1.1). We will not provide hotfixes on other prior versions of the platform, nor are steps available as part of a local change.
A restart will be needed for the hotfix changes to apply.
As a best practice, you should update your Pega environment to the latest release to take advantage of the latest features, capabilities, security and bug fixes. See Keeping current with Pega.
|
Version |
XSS issue with editing/rendering user html content |
|---|---|
|
8.3.6** |
HFIX-A1613 |
|
8.8.3** |
HFIX-A1614 |
|
8.8.4 |
HFIX-A1629 |
|
23.1.1 |
HFIX-A1630 |
**Initially reported by a client on 8.3.6 and 8.8.3 and a hotfix for each was provided as a courtesy.