Headline
CVE-2023-4843: Support Center
Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user.
Pega continually works to implement security controls designed to protect client environments. With this focus, Pega has recently identified a security vulnerability that is rated Medium on the CVSS scale. We would like to thank Iulian Florea at KPMG Romania for finding this vulnerability.
Issue
Description
Impact
D23
HTML Injection vulnerability
HTML Injection is an attack that is similar to Cross-site Scripting (XSS). While in the XSS vulnerability the attacker can inject and execute Javascript code, the HTML injection attack only allows the injection of certain HTML tags. Attackers often initiate an HTML Injection attack by sending a malicious link to a user and enticing the user to click it.
Clients with internet-facing applications should update or apply the local change. Clients running their own infrastructure should consult their security teams.
We are not aware of any of our clients being compromised as a result of this vulnerability.
The remediation for this issue will be included as part of the product in the 8.7.6 and 8.8.4 patch releases and the Infinity 23 release of the Pega Platform. A hotfix for 8.7.5 and 8.8.3 is available as described below. Hotfixes will not be provided for earlier versions.
It is very important to keep your Pega systems current on the latest patch releases.
The local change remediation is detailed in your Client Advisory, [CAD-] case that was provided to your security and administrator contacts on Mon XX, 2023, in My Support Portal.
CVE Details
CVE Details
D23
Software/Product
Pega Platform
Affected Version(s)
From 7.1 to 8.8.3
CVE ID
CVE-2023-4843
CVSS Rating
4.3
Description
Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user.
Hotfix Details
Hotfix Version
Hotfix ID
8.7.5
HFIX-A459
8.8.3
HFIX-A418
A restart is NOT needed for this hotfix.