CVE-2023-26465: Support Center

Pega continually works to implement security controls designed to protect client environments. With this focus, Pega has recently identified a security vulnerability that is rated High on the CVSS scale. We would like to thank Maciej Piechota and Adam Simuntis from SECFORCE for finding this vulnerability.

Issue

Description

Impact

A23

Reflected Cross Site Script (XSS) vulnerability

Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.

Clients with internet-facing applications should update or apply the local change.  Clients running their own infrastructure should consult their security teams.

We are not aware of any of our clients being compromised as a result of this vulnerability.

For all clients, guidance is being provided to address the issue with a local change. The remediation for this issue will be included as part of the product in the 8.7.5 and 8.8.2 patch releases and the Infinity 23’ release of the Pega Platform.

It is very important to keep your Pega systems current on the latest patch releases. The local change remediation is detailed in your Client Advisory, [CAD-] case that was provided to your security and administrator contacts on Mar 2, 2023, in My Support Portal.

CVE Details

CVE Details

A23

Software/Product

Pega Platform

Affected Version(s)

From 7.2 to 8.8.1

CVE ID

CVE-2023-26465

CVSS Rating

8.0

Description

Reflected Cross-Site Script (XSS) vulnerability