CVE-2023-32089: Support Center

Pega continually works to implement security controls designed to protect client environments. With this focus, Pega was notified of 3 security vulnerabilities that are rated Medium on the CVSS scale. We would like to thank Reuben Seymour, Amber Hamlet and Skyler Knecht for finding these vulnerabilities.

Issue

Description

Impact

E23

Cross Site Script (XSS) vulnerability

Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.

Clients with internet-facing applications should update or apply the hotfix.  Clients running their own infrastructure should consult their security teams.

This affects normal authenticated users.

We are not aware of any of our clients being compromised as a result of this vulnerability.

The remediation for this issue will be included as part of the product in the 8.7.6, 8.8.4 patch release and the Infinity 23.1.1 release of the Pega Platform.  Hotfixes are being created only for the latest patch releases in standard support (8.7.5 & 8.8.3, and Infinity 23.1.0).  We will not provide hotfixes on prior versions of the platform, nor will we provide steps as part of a local change.

If you are a Pega Cloud ® client or a United States Pega Cloud for Government (PCFG) client, details are listed in your Client Advisory (CAD case) on next actions.

If you are an on–premises or client managed cloud client, please review the tables below to determine which hotfixes correspond to your Pegasystems installation. Once you have determined the appropriate hotfix IDs, please submit hotfix requests using My Support Portal.  As always, be sure you have appropriate backups in place before applying the hotfixes.

As always, we recommend our clients review our Security Checklist regularly.

Please refer to your Client Advisory, [CAD-] case that was provided to your security and administrator contacts on Sept 21, 2023, in My Support Portal.

CVE Details

CVE Details

Issue:

XSS issue with task creation

Issue:

XSS issue with ad-hoc case creation

Issue:

XSS issue with Pin description

Software/Product

Pega Platform

Pega Platform

Pega Platform

Affected Version(s)

From 8.1 to Infinity 23.1.0

From 8.1 to  Infinity 23.1.0

From 8.1 to  8.8.2

CVE ID

CVE-2023-32087

CVE-2023-32088

CVE-2023-32089

CVSS Rating

4.6

4.6

4.6

Description

Cross Site Script (XSS) vulnerability

Cross Site Script (XSS) vulnerability

Cross Site Script (XSS) vulnerability

Hotfix Details

Hotfixes have been created only for the latest patch releases in standard support (8.7.5 & 8.8.3, and Infinity 23.1.0).  We will not provide hotfixes on prior versions of the platform, nor will we provide steps as part of a local change.

As a best practice, you should update your Pega environment to the latest release to take advantage of the latest features, capabilities, security and bug fixes.  See Keeping current with Pega.

Version

XSS issue with task creation

XSS issue with ad-hoc case creation

XSS issue with Pin description

8.7.5

HFIX-A666

HFIX-A666

HFIX-A667

8.8.3

HFIX-A665

HFIX-A665

Fixed in release

Inf 23.1.0

HFIX-A781

HFIX-A781

Fixed in release

The fixes for these issues are contained in the upcoming patch releases:  The 8.7.6 patch release was made available on Sept 29. 2023.  The 8.8.4 patch release is targeted for the end of Oct. 2023.  The Infinity 23.1.0 release was made available on Sept. 13, 2023. The Infinity 23.1.1 release is targeted for Nov. 2023.  https://support.pega.com/pega-infinity-patch-calendar

In addition, please review the following article regarding preventing risk of XSS attack when specifying Label controls: https://support.pega.com/support-doc/preventing-risk-xss-attack-when-specifying-label-controls-sdr-a71