Security Bulletins
Our clients trust Pega to prevent security events, protect their data, and adhere to the most stringent global compliance standards. To earn that trust, we’re fully committed to transparency, which is why we’re sharing our security bulletins here.
2024 Security Bulletin
CVE-2024-10716
5.9
Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it. In this scenario only an authorized Pega user with developer access can carry out this attack.
CVE-2024-10094
9.1
Improper Control of Generation of Code may allow an attacker to craft the code in such a way that it will alter the intended control flow of the product.
CVE-2024-6700
CVE-2024-6701
CVE-2024-6702
5.2-5.5
Cross Site scripting - attacker injects malicious executable scripts into the code of a trusted application or website.
HTML Injection - similar to cross-site scripting (XSS), however attacker is only able to inject certain HTML tags.
Only an authorized Pega user with developer access can perform these attacks.
CVE-2023-50168
7.7
A type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.
2023 Security Bulletin
CVE-2023-50167
5.4
An attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.
CVE-2023-50166
6.1
An attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.
CVE-2023-50165
8.5
An issue with generated PDF files due to a Collaboration Documents feature that could expose file contents.
No CVE
6.5
Mashup rendering issue: whereby the URL being processed was truncated and defaulted to the access group portal which may provide more data than intended if the default portal access is not properly configured for anonymous authentication.
CVE-2023-32087
CVE-2023-32088
CVE-2023-32089
4.6
Pega Platform versions 8.1 to 8.8.3 are affected by 3 Cross-site Scripting (XSS) issue.
CVE-2023-4843
4.3
Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user.
CVE-2023-26465
8.0
Pega Platform versions 7.2 to 8.8.1 are affected by an XSS issue.
CVE-2023-26466
CVE-2023-26467
CVE-2023-28093
7.5-8.1
A bad actor with non-admin user access to a client desktop, with Pega Synchronization Engine, could modify configuration files and execute malicious code on the client desktop that could provide them with Administrative access.
CVE-2022-23539
CVE-2022-23540
CVE-2022-23541
6.4
Three vulnerabilities were recently identified in the JsonWebToken software that could lead to unintended actions.
2022 Security Bulletin
N/A
7.1
This issue allows authenticated users (including anonymous users) to escalate privileges and affects Pega Platform versions 8.5 and above. See Configuring an application to use an anonymous authentication service to learn more about anonymous users.
N/A
5.3
Pega Portlet Authentication issue: Java Specification Request 168 and 286 (JSR 168 and JSR 286) describes a Java Application Programming Interface (API) for portlets, the user interface components for display in web portal servers. The Pega Platform supports the development and deployment of JSR-compliant portlet.
CVE-2022-42889
9.8
Apache Commons Text software vulnerability could allow malicious actors to perform string interpolation to trigger network access or code execution.
CVE-2022-35656
6.8
Pega Platform versions 8.3 to 8.7.3 may allow authenticated security administrators to alter CSRF settings directly.
CVE-2022-35655
6.1
Pega Platform versions 7.3 to 8.7.3 are affected by an XSS issue due to a misconfiguration of a DataPage setting.
CVE-2022-35654
6.1
Pega Platform versions 8.5.4 to 8.7.3 are affected by an XSS issue with an unauthenticated user and the redirect parameter.
CVE-2022-24083
9.8
In versions 7.3.1 through to 8.7.2 of Pega Infinity, password authentication bypass vulnerability for local accounts can be used to bypass local authentication checks.
CVE-2022-24082
9.8
In Pega Platform versions 8.1 and above, for on-premises clients, there is the potential for malicious actors to run Remote Code Execution using the JMX interface on Cassandra and Kafka, in situations where clients leave unneeded network ports exposed.
ID
No CVE
Score
5.7
Summary
A medium security misconfiguration could provide an authenticated, trusted developer with unintended low-level interaction capability.
2021 Security Bulletin
CVE-2021-44228
10.0
Apache Log4j logging software vulnerability could allow malicious actors to take control of organizational networks using Log4j.
Microsoft recently reported that Nobelium, the threat actor behind the SolarWinds compromise in December 2020, is again actively trying to access corporate technology supply chains. Pega's security team continuously monitors its corporate and Pega Cloud infrastructure, and, to date, we have not detected any unusual activity indicating a Nobelium-related compromise. In addition, our suppliers have not advised us of any related compromises. We will continue to engage third parties to assess and enhance our security infrastructure through penetration testing, purple team exercises, and adversary hunts.
Name
Cloud SSL Cipher Suite Changes
Summary
Changes in supported TLS protocols and ciphers suites take effect as a result of any environment infrastructure update that takes place after September 2021. To learn more about these changes and the TLS encryption settings that are supported, see Data-in-transit encryption in Pega Cloud article and link.
ID
CVE-2021-27651
Score
9.8
Summary
In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.
ID
CVE-2020-15390
Score
9.8
Summary
pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper access control vulnerability via =GetWebInfo.
ID
CVE-2021-27653
Score
6.6
Summary
Misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 - 8.5.x could lead to unintended data exposure.
2020 Security Bulletin
ID
CVE-2020-23957
Score
4.3
Summary
Pega Platform through 8.4.x is affected by Cross Site Scripting (XSS) via the ConnectionID parameter, as demonstrated by a pyActivity=Data-TRACERSettings.pzStartTracerSession request to a PRAuth URI.
ID
CVE-2020-24353
Score
4.3
Summary
Pega Platform before 8.4.0 has a XSS issue via stream rule parameters used in the request header.
ID
CVE-2019-16374
Score
7.5
Summary
Pega Platform 8.2.1 allows LDAP injection because a username can contain a * character and can be of unlimited length. An attacker can specify four characters of a username, followed by the * character, to bypass access control.
ID
CVE-2020-8775
Score
6
Summary
Pega Platform before version 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability in the comment tags.
ID
CVE-2020-8774
Score
6.8
Summary
Pega Platform before version 8.2.6 is affected by a Reflected Cross-Site Scripting vulnerability in the "ActionStringID" function.
ID
CVE-2020-8773
Score
6
Summary
The Richtext Editor in Pega Platform before 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability.