Vulnerabilites related to pega - pega_platform
cve-2020-24353
Vulnerability from cvelistv5
Published
2020-11-09 13:41
Modified
2024-08-04 15:12
Severity ?
EPSS score ?
Summary
Pega Platform before 8.4.0 has a XSS issue via stream rule parameters used in the request header.
References
| ▼ | URL | Tags |
|---|---|---|
| https://community.pega.com/knowledgebase/products/platform/release-notes | x_refsource_MISC | |
| https://community.pega.com/knowledgebase/products/platform/resolved-issues?q=527502 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:12:08.689Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.pega.com/knowledgebase/products/platform/release-notes"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.pega.com/knowledgebase/products/platform/resolved-issues?q=527502"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform before 8.4.0 has a XSS issue via stream rule parameters used in the request header."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-09T13:41:31",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://community.pega.com/knowledgebase/products/platform/release-notes"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://community.pega.com/knowledgebase/products/platform/resolved-issues?q=527502"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-24353",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pega Platform before 8.4.0 has a XSS issue via stream rule parameters used in the request header."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://community.pega.com/knowledgebase/products/platform/release-notes",
"refsource": "MISC",
"url": "https://community.pega.com/knowledgebase/products/platform/release-notes"
},
{
"name": "https://community.pega.com/knowledgebase/products/platform/resolved-issues?q=527502",
"refsource": "MISC",
"url": "https://community.pega.com/knowledgebase/products/platform/resolved-issues?q=527502"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-24353",
"datePublished": "2020-11-09T13:41:31",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T15:12:08.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-35654
Vulnerability from cvelistv5
Published
2022-08-22 14:46
Modified
2024-08-03 09:36
Severity ?
EPSS score ?
Summary
Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Version: 8.5.4 < unspecified Version: unspecified < 8.7.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:36:44.414Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.5.4",
"versionType": "custom"
},
{
"lessThan": "8.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kane Gamble from Blackfoot UK"
}
],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Cross-Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-23T15:45:07",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pega.com",
"ID": "CVE-2022-35654",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pega Infinity",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "8.5.4"
},
{
"version_affected": "\u003c",
"version_value": "8.7.3"
}
]
}
}
]
},
"vendor_name": "Pegasystems"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kane Gamble from Blackfoot UK"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "N",
"AC": "L",
"AV": "N",
"C": "L",
"I": "L",
"PR": "N",
"S": "C",
"UI": "R"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix",
"refsource": "MISC",
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2022-35654",
"datePublished": "2022-08-22T14:46:53",
"dateReserved": "2022-07-12T00:00:00",
"dateUpdated": "2024-08-03T09:36:44.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-26465
Vulnerability from cvelistv5
Published
2023-06-09 00:00
Modified
2025-01-06 19:24
Severity ?
EPSS score ?
Summary
Pega Platform versions 7.2 to 8.8.1 are affected by an XSS issue.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Version: 7.2 < unspecified Version: unspecified < 8.8.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:53:54.564Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-a23-vulnerability-remediation-note"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26465",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T19:24:32.307051Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T19:24:44.238Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.2",
"versionType": "custom"
},
{
"lessThan": "8.8.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Maciej Piechota"
}
],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform versions 7.2 to 8.8.1 are affected by an XSS issue."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-09T00:00:00",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-a23-vulnerability-remediation-note"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-26465",
"datePublished": "2023-06-09T00:00:00",
"dateReserved": "2023-02-23T00:00:00",
"dateUpdated": "2025-01-06T19:24:44.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-11355
Vulnerability from cvelistv5
Published
2017-08-02 19:00
Modified
2024-08-05 18:05
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform 7.2 ML0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to the main page; the (2) beanReference parameter to the JavaBean viewer page; or the (3) pyTableName to the System database schema modification page.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-11355-and-cve-2017-11356/pegasystems-security-bulletin-cve | x_refsource_CONFIRM | |
| https://www.exploit-db.com/exploits/42335/ | exploit, x_refsource_EXPLOIT-DB | |
| http://seclists.org/fulldisclosure/2017/Jul/28 | mailing-list, x_refsource_FULLDISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:05:30.530Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-11355-and-cve-2017-11356/pegasystems-security-bulletin-cve"
},
{
"name": "42335",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/42335/"
},
{
"name": "20170717 PEGA Platform \u003c= 7.2 ML0 - Multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2017/Jul/28"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-07-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform 7.2 ML0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to the main page; the (2) beanReference parameter to the JavaBean viewer page; or the (3) pyTableName to the System database schema modification page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-07T13:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-11355-and-cve-2017-11356/pegasystems-security-bulletin-cve"
},
{
"name": "42335",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/42335/"
},
{
"name": "20170717 PEGA Platform \u003c= 7.2 ML0 - Multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2017/Jul/28"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-11355",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform 7.2 ML0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to the main page; the (2) beanReference parameter to the JavaBean viewer page; or the (3) pyTableName to the System database schema modification page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-11355-and-cve-2017-11356/pegasystems-security-bulletin-cve",
"refsource": "CONFIRM",
"url": "https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-11355-and-cve-2017-11356/pegasystems-security-bulletin-cve"
},
{
"name": "42335",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/42335/"
},
{
"name": "20170717 PEGA Platform \u003c= 7.2 ML0 - Multiple vulnerabilities",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2017/Jul/28"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-11355",
"datePublished": "2017-08-02T19:00:00",
"dateReserved": "2017-07-16T00:00:00",
"dateUpdated": "2024-08-05T18:05:30.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-23957
Vulnerability from cvelistv5
Published
2020-12-15 20:31
Modified
2024-08-04 15:05
Severity ?
EPSS score ?
Summary
Pega Platform through 8.4.x is affected by Cross Site Scripting (XSS) via the ConnectionID parameter, as demonstrated by a pyActivity=Data-TRACERSettings.pzStartTracerSession request to a PRAuth URI.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jayaramyalla.medium.com/cross-site-scripting-in-pega-cve-2020-23957-16d1c417da5f | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:05:11.132Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jayaramyalla.medium.com/cross-site-scripting-in-pega-cve-2020-23957-16d1c417da5f"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform through 8.4.x is affected by Cross Site Scripting (XSS) via the ConnectionID parameter, as demonstrated by a pyActivity=Data-TRACERSettings.pzStartTracerSession request to a PRAuth URI."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-15T20:31:17",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jayaramyalla.medium.com/cross-site-scripting-in-pega-cve-2020-23957-16d1c417da5f"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-23957",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pega Platform through 8.4.x is affected by Cross Site Scripting (XSS) via the ConnectionID parameter, as demonstrated by a pyActivity=Data-TRACERSettings.pzStartTracerSession request to a PRAuth URI."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jayaramyalla.medium.com/cross-site-scripting-in-pega-cve-2020-23957-16d1c417da5f",
"refsource": "MISC",
"url": "https://jayaramyalla.medium.com/cross-site-scripting-in-pega-cve-2020-23957-16d1c417da5f"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-23957",
"datePublished": "2020-12-15T20:31:17",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T15:05:11.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-15390
Vulnerability from cvelistv5
Published
2021-04-12 18:18
Modified
2024-08-04 13:15
Severity ?
EPSS score ?
Summary
pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper access control vulnerability via =GetWebInfo.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:15:20.546Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jayaramyalla.medium.com/sensitive-information-disclosure-due-to-improper-access-control-cve-2020-15390-124573c15824"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper access control vulnerability via =GetWebInfo."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-12T18:18:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jayaramyalla.medium.com/sensitive-information-disclosure-due-to-improper-access-control-cve-2020-15390-124573c15824"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15390",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper access control vulnerability via =GetWebInfo."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jayaramyalla.medium.com/sensitive-information-disclosure-due-to-improper-access-control-cve-2020-15390-124573c15824",
"refsource": "MISC",
"url": "https://jayaramyalla.medium.com/sensitive-information-disclosure-due-to-improper-access-control-cve-2020-15390-124573c15824"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15390",
"datePublished": "2021-04-12T18:18:20",
"dateReserved": "2020-06-29T00:00:00",
"dateUpdated": "2024-08-04T13:15:20.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-16387
Vulnerability from cvelistv5
Published
2019-11-26 17:25
Modified
2024-08-05 01:17
Severity ?
EPSS score ?
Summary
PEGA Platform 8.3.0 is vulnerable to a direct prweb/sso/random_token/!STANDARD?pyActivity=Data-Admin-DB-Name.DBSchema_ListDatabases request while using a low-privilege account. (This can perform actions and retrieve data that only an administrator should have access to.) NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect
References
| ▼ | URL | Tags |
|---|---|---|
| https://blog.cybercastrum.com/2019/11/25/cve-2019-16387/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:17:39.410Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.cybercastrum.com/2019/11/25/cve-2019-16387/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PEGA Platform 8.3.0 is vulnerable to a direct prweb/sso/random_token/!STANDARD?pyActivity=Data-Admin-DB-Name.DBSchema_ListDatabases request while using a low-privilege account. (This can perform actions and retrieve data that only an administrator should have access to.) NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-19T21:45:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.cybercastrum.com/2019/11/25/cve-2019-16387/"
}
],
"tags": [
"disputed"
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16387",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** DISPUTED ** PEGA Platform 8.3.0 is vulnerable to a direct prweb/sso/random_token/!STANDARD?pyActivity=Data-Admin-DB-Name.DBSchema_ListDatabases request while using a low-privilege account. (This can perform actions and retrieve data that only an administrator should have access to.) NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.cybercastrum.com/2019/11/25/cve-2019-16387/",
"refsource": "MISC",
"url": "https://blog.cybercastrum.com/2019/11/25/cve-2019-16387/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16387",
"datePublished": "2019-11-26T17:25:14",
"dateReserved": "2019-09-17T00:00:00",
"dateUpdated": "2024-08-05T01:17:39.410Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-32090
Vulnerability from cvelistv5
Published
2023-08-07 11:53
Modified
2024-10-09 18:13
Severity ?
EPSS score ?
Summary
Pega platform clients who are using versions 6.1 through 7.3.1 may be
utilizing default credentials
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Platform |
Version: 6.1 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:03:28.943Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-c23-vulnerability-default-operators"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pegasystems:pega_platform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pega_platform",
"vendor": "pegasystems",
"versions": [
{
"lessThanOrEqual": "7.3.1",
"status": "affected",
"version": "6.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32090",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-09T17:55:40.791064Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-09T18:13:45.110Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Platform",
"vendor": "Pegasystems",
"versions": [
{
"lessThanOrEqual": "7.3.1",
"status": "affected",
"version": "6.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Mohamad Shokor"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pega platform clients who are using versions 6.1 through 7.3.1 may be\nutilizing default credentials\n\n\n\n"
}
],
"value": "Pega platform clients who are using versions 6.1 through 7.3.1 may be\nutilizing default credentials\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-70",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-70 Try Common or Default Usernames and Passwords"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1393",
"description": "CWE-1393 Use of Default Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-07T11:53:48.738Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-c23-vulnerability-default-operators"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-32090",
"datePublished": "2023-08-07T11:53:48.738Z",
"dateReserved": "2023-05-01T21:15:33.974Z",
"dateUpdated": "2024-10-09T18:13:45.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-50167
Vulnerability from cvelistv5
Published
2024-03-06 17:15
Modified
2024-08-02 22:09
Severity ?
EPSS score ?
Summary
Pega Platform from 7.1.7 to 23.1.1 is affected by an XSS issue with editing/rendering user html content.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Platform |
Version: 7.1.7 < 23.1.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50167",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-07T20:08:26.907065Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:17:52.331Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:09:49.662Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-i23-vulnerability-remediation-note"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Platform",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "23.1.2",
"status": "affected",
"version": "7.1.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Tomasz Stachowicz"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pega Platform from 7.1.7 to 23.1.1 is affected by an XSS issue with editing/rendering user html content."
}
],
"value": "Pega Platform from 7.1.7 to 23.1.1 is affected by an XSS issue with editing/rendering user html content."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-06T17:15:08.248Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-i23-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-50167",
"datePublished": "2024-03-06T17:15:08.248Z",
"dateReserved": "2023-12-04T13:30:07.891Z",
"dateUpdated": "2024-08-02T22:09:49.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-17478
Vulnerability from cvelistv5
Published
2018-02-27 15:00
Modified
2024-08-05 20:51
Severity ?
EPSS score ?
Summary
An XSS issue was discovered in Designer Studio in Pegasystems Pega Platform 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2, 7.2.1, and 7.2.2. A user with developer credentials can insert malicious code (up to 64 characters) into a text field in Designer Studio, after establishing context. Designer Studio is the developer workbench for Pega Platform. That XSS payload will execute when other developers visit the affected pages.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-17478/pegasystems-security-bulletin-cve-2017-17478 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:51:31.635Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-17478/pegasystems-security-bulletin-cve-2017-17478"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-12-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An XSS issue was discovered in Designer Studio in Pegasystems Pega Platform 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2, 7.2.1, and 7.2.2. A user with developer credentials can insert malicious code (up to 64 characters) into a text field in Designer Studio, after establishing context. Designer Studio is the developer workbench for Pega Platform. That XSS payload will execute when other developers visit the affected pages."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-27T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-17478/pegasystems-security-bulletin-cve-2017-17478"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-17478",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XSS issue was discovered in Designer Studio in Pegasystems Pega Platform 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2, 7.2.1, and 7.2.2. A user with developer credentials can insert malicious code (up to 64 characters) into a text field in Designer Studio, after establishing context. Designer Studio is the developer workbench for Pega Platform. That XSS payload will execute when other developers visit the affected pages."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-17478/pegasystems-security-bulletin-cve-2017-17478",
"refsource": "CONFIRM",
"url": "https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-17478/pegasystems-security-bulletin-cve-2017-17478"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-17478",
"datePublished": "2018-02-27T15:00:00",
"dateReserved": "2017-12-08T00:00:00",
"dateUpdated": "2024-08-05T20:51:31.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-35656
Vulnerability from cvelistv5
Published
2022-08-22 14:47
Modified
2024-08-03 09:36
Severity ?
EPSS score ?
Summary
Pega Platform from 8.3 to 8.7.3 vulnerability may allow authenticated security administrators to alter CSRF settings directly.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Version: 8.3 < unspecified Version: unspecified < 8.7.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:36:44.428Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.3",
"versionType": "custom"
},
{
"lessThan": "8.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kane Gamble from Blackfoot UK"
}
],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform from 8.3 to 8.7.3 vulnerability may allow authenticated security administrators to alter CSRF settings directly."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-23T15:44:49",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pega.com",
"ID": "CVE-2022-35656",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pega Infinity",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "8.3"
},
{
"version_affected": "\u003c",
"version_value": "8.7.3"
}
]
}
}
]
},
"vendor_name": "Pegasystems"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kane Gamble from Blackfoot UK"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pega Platform from 8.3 to 8.7.3 vulnerability may allow authenticated security administrators to alter CSRF settings directly."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "H",
"AC": "L",
"AV": "N",
"C": "H",
"I": "H",
"PR": "H",
"S": "U",
"UI": "R"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352: Cross-Site Request Forgery"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix",
"refsource": "MISC",
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2022-35656",
"datePublished": "2022-08-22T14:47:57",
"dateReserved": "2022-07-12T00:00:00",
"dateUpdated": "2024-08-03T09:36:44.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-4843
Vulnerability from cvelistv5
Published
2023-09-08 16:06
Modified
2024-09-25 20:06
Severity ?
EPSS score ?
Summary
Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Platform |
Version: 7.1 < 8.8.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:38:00.850Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-d23-vulnerability-remediation-note?"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4843",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T16:23:47.988448Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T20:06:07.459Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Platform",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "8.8.4",
"status": "affected",
"version": "7.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Iulian Florea"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user."
}
],
"value": "Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user."
}
],
"impacts": [
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-08T16:06:44.528Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-d23-vulnerability-remediation-note?"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-4843",
"datePublished": "2023-09-08T16:06:44.528Z",
"dateReserved": "2023-09-08T15:15:45.371Z",
"dateUpdated": "2024-09-25T20:06:07.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-11356
Vulnerability from cvelistv5
Published
2017-08-02 19:00
Modified
2024-08-05 18:05
Severity ?
EPSS score ?
Summary
The application distribution export functionality in PEGA Platform 7.2 ML0 and earlier allows remote authenticated users with certain privileges to obtain sensitive configuration information by leveraging a missing access control.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-11355-and-cve-2017-11356/pegasystems-security-bulletin-cve | x_refsource_CONFIRM | |
| https://www.exploit-db.com/exploits/42335/ | exploit, x_refsource_EXPLOIT-DB | |
| http://seclists.org/fulldisclosure/2017/Jul/28 | mailing-list, x_refsource_FULLDISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:05:30.578Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-11355-and-cve-2017-11356/pegasystems-security-bulletin-cve"
},
{
"name": "42335",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/42335/"
},
{
"name": "20170717 PEGA Platform \u003c= 7.2 ML0 - Multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2017/Jul/28"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-07-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The application distribution export functionality in PEGA Platform 7.2 ML0 and earlier allows remote authenticated users with certain privileges to obtain sensitive configuration information by leveraging a missing access control."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-07T13:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-11355-and-cve-2017-11356/pegasystems-security-bulletin-cve"
},
{
"name": "42335",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/42335/"
},
{
"name": "20170717 PEGA Platform \u003c= 7.2 ML0 - Multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2017/Jul/28"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-11356",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The application distribution export functionality in PEGA Platform 7.2 ML0 and earlier allows remote authenticated users with certain privileges to obtain sensitive configuration information by leveraging a missing access control."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-11355-and-cve-2017-11356/pegasystems-security-bulletin-cve",
"refsource": "CONFIRM",
"url": "https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-11355-and-cve-2017-11356/pegasystems-security-bulletin-cve"
},
{
"name": "42335",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/42335/"
},
{
"name": "20170717 PEGA Platform \u003c= 7.2 ML0 - Multiple vulnerabilities",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2017/Jul/28"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-11356",
"datePublished": "2017-08-02T19:00:00",
"dateReserved": "2017-07-16T00:00:00",
"dateUpdated": "2024-08-05T18:05:30.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-35655
Vulnerability from cvelistv5
Published
2022-08-22 14:47
Modified
2024-08-03 09:36
Severity ?
EPSS score ?
Summary
Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Version: 7.3 < unspecified Version: unspecified < 8.7.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:36:44.449Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.3",
"versionType": "custom"
},
{
"lessThan": "8.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kane Gamble from Blackfoot UK"
}
],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Cross-Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-23T15:44:33",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pega.com",
"ID": "CVE-2022-35655",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pega Infinity",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "7.3"
},
{
"version_affected": "\u003c",
"version_value": "8.7.3"
}
]
}
}
]
},
"vendor_name": "Pegasystems"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kane Gamble from Blackfoot UK"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "N",
"AC": "L",
"AV": "N",
"C": "L",
"I": "L",
"PR": "N",
"S": "C",
"UI": "R"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix",
"refsource": "MISC",
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2022-35655",
"datePublished": "2022-08-22T14:47:36",
"dateReserved": "2022-07-12T00:00:00",
"dateUpdated": "2024-08-03T09:36:44.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-16388
Vulnerability from cvelistv5
Published
2019-11-26 17:26
Modified
2024-08-05 01:17
Severity ?
EPSS score ?
Summary
PEGA Platform 8.3.0 is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyStream=MyAlerts request to get Audit Log information while using a low-privilege account. NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect
References
| ▼ | URL | Tags |
|---|---|---|
| https://blog.cybercastrum.com/2019/11/25/cve-2019-16388/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-16388",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-26T19:35:15.418004Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-26T19:35:22.458Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:17:39.485Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.cybercastrum.com/2019/11/25/cve-2019-16388/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PEGA Platform 8.3.0 is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyStream=MyAlerts request to get Audit Log information while using a low-privilege account. NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-19T21:45:56",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.cybercastrum.com/2019/11/25/cve-2019-16388/"
}
],
"tags": [
"disputed"
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16388",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** DISPUTED ** PEGA Platform 8.3.0 is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyStream=MyAlerts request to get Audit Log information while using a low-privilege account. NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.cybercastrum.com/2019/11/25/cve-2019-16388/",
"refsource": "MISC",
"url": "https://blog.cybercastrum.com/2019/11/25/cve-2019-16388/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16388",
"datePublished": "2019-11-26T17:26:23",
"dateReserved": "2019-09-17T00:00:00",
"dateUpdated": "2024-08-05T01:17:39.485Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-16386
Vulnerability from cvelistv5
Published
2019-11-26 17:23
Modified
2024-08-05 01:17
Severity ?
EPSS score ?
Summary
PEGA Platform 7.x and 8.x is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyActivity=GetWebInfo&target=popup&pzHarnessID=random_harness_id request to get database schema information while using a low-privilege account. NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect
References
| ▼ | URL | Tags |
|---|---|---|
| https://blog.cybercastrum.com/2019/11/25/cve-2019-16386/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:17:39.441Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.cybercastrum.com/2019/11/25/cve-2019-16386/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PEGA Platform 7.x and 8.x is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyActivity=GetWebInfo\u0026target=popup\u0026pzHarnessID=random_harness_id request to get database schema information while using a low-privilege account. NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-19T21:43:53",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.cybercastrum.com/2019/11/25/cve-2019-16386/"
}
],
"tags": [
"disputed"
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16386",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** DISPUTED ** PEGA Platform 7.x and 8.x is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyActivity=GetWebInfo\u0026target=popup\u0026pzHarnessID=random_harness_id request to get database schema information while using a low-privilege account. NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.cybercastrum.com/2019/11/25/cve-2019-16386/",
"refsource": "MISC",
"url": "https://blog.cybercastrum.com/2019/11/25/cve-2019-16386/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16386",
"datePublished": "2019-11-26T17:23:46",
"dateReserved": "2019-09-17T00:00:00",
"dateUpdated": "2024-08-05T01:17:39.441Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-28094
Vulnerability from cvelistv5
Published
2023-06-22 00:00
Modified
2024-12-06 21:20
Severity ?
EPSS score ?
Summary
Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prior to 8.x may be utilizing default credentials.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Platform |
Version: 7.4 < unspecified Version: unspecified < 8.8.* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:30:24.140Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-c23-vulnerability-default-operators?"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28094",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T21:20:34.551749Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T21:20:43.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Platform",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.4",
"versionType": "custom"
},
{
"lessThan": "8.8.*",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Mohamad Shokor"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prior to 8.x may be utilizing default credentials."
}
],
"value": "Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prior to 8.x may be utilizing default credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1393",
"description": "CWE-1393: Use of Default Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-05T07:26:35.937Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-c23-vulnerability-default-operators?"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-28094",
"datePublished": "2023-06-22T00:00:00",
"dateReserved": "2023-03-10T00:00:00",
"dateUpdated": "2024-12-06T21:20:43.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-8774
Vulnerability from cvelistv5
Published
2020-04-29 14:11
Modified
2024-08-04 10:12
Severity ?
EPSS score ?
Summary
Pega Platform before version 8.2.6 is affected by a Reflected Cross-Site Scripting vulnerability in the "ActionStringID" function.
References
| ▼ | URL | Tags |
|---|---|---|
| https://community.pega.com/node/1913996 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:12:10.237Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://community.pega.com/node/1913996"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform before version 8.2.6 is affected by a Reflected Cross-Site Scripting vulnerability in the \"ActionStringID\" function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-29T14:30:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://community.pega.com/node/1913996"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8774",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pega Platform before version 8.2.6 is affected by a Reflected Cross-Site Scripting vulnerability in the \"ActionStringID\" function."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://community.pega.com/node/1913996",
"refsource": "CONFIRM",
"url": "https://community.pega.com/node/1913996"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8774",
"datePublished": "2020-04-29T14:11:01",
"dateReserved": "2020-02-06T00:00:00",
"dateUpdated": "2024-08-04T10:12:10.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2019-11-26 18:15
Modified
2024-11-21 04:30
Severity ?
Summary
PEGA Platform 8.3.0 is vulnerable to a direct prweb/sso/random_token/!STANDARD?pyActivity=Data-Admin-DB-Name.DBSchema_ListDatabases request while using a low-privilege account. (This can perform actions and retrieve data that only an administrator should have access to.) NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.cybercastrum.com/2019/11/25/cve-2019-16387/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.cybercastrum.com/2019/11/25/cve-2019-16387/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pega | pega_platform | 8.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:pega_platform:8.3:*:*:*:*:*:*:*",
"matchCriteriaId": "93EDE2E4-E5BA-43CA-A829-B950915B76D0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PEGA Platform 8.3.0 is vulnerable to a direct prweb/sso/random_token/!STANDARD?pyActivity=Data-Admin-DB-Name.DBSchema_ListDatabases request while using a low-privilege account. (This can perform actions and retrieve data that only an administrator should have access to.) NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect"
},
{
"lang": "es",
"value": "** EN DISPUTA ** PEGA Platform versi\u00f3n 8.3.0, es vulnerable a una petici\u00f3n directa de prweb/sso/random_token/!STANDARD?pyActivity=Data-Admin-DB-Name.DBSchema_ListDatabases mientras utiliza una cuenta de bajo privilegio. (Esto puede realizar acciones y recuperar datos a los que solo un administrador deber\u00eda tener acceso). NOTA: El proveedor afirma que esta vulnerabilidad se descubri\u00f3 mediante una cuenta de administrador y que son funciones de administrador normales. Por lo tanto, la afirmaci\u00f3n de que el CVE se hizo con una cuenta de privilegios bajos es incorrecta."
}
],
"id": "CVE-2019-16387",
"lastModified": "2024-11-21T04:30:36.960",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-26T18:15:15.460",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.cybercastrum.com/2019/11/25/cve-2019-16387/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.cybercastrum.com/2019/11/25/cve-2019-16387/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-668"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-08-22 15:15
Modified
2024-11-21 07:11
Severity ?
Summary
Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pega | pega_platform | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:pega_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4B89F750-1BC4-402D-9E29-63FF1FDF3376",
"versionEndIncluding": "8.7.3",
"versionStartIncluding": "8.5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter."
},
{
"lang": "es",
"value": "Pega Platform versiones desde 8.5.4 a 8.7.3, est\u00e1 afectada por un problema de tipo XSS con un usuario no autenticado y el par\u00e1metro de redireccionamiento."
}
],
"id": "CVE-2022-35654",
"lastModified": "2024-11-21T07:11:26.733",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security@pega.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-22T15:15:16.603",
"references": [
{
"source": "security@pega.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"sourceIdentifier": "security@pega.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@pega.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-09 14:15
Modified
2024-11-21 05:14
Severity ?
Summary
Pega Platform before 8.4.0 has a XSS issue via stream rule parameters used in the request header.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://community.pega.com/knowledgebase/products/platform/release-notes | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://community.pega.com/knowledgebase/products/platform/resolved-issues?q=527502 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://community.pega.com/knowledgebase/products/platform/release-notes | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://community.pega.com/knowledgebase/products/platform/resolved-issues?q=527502 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pega | pega_platform | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:pega_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "65FB02CE-0E8D-4ACF-A337-75983D6B1CB4",
"versionEndExcluding": "8.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform before 8.4.0 has a XSS issue via stream rule parameters used in the request header."
},
{
"lang": "es",
"value": "Pega Platform versiones anteriores a 8.4.0, presenta un problema de tipo XSS por medio de los par\u00e1metros de reglas de transmisi\u00f3n usados en el encabezado de la petici\u00f3n"
}
],
"id": "CVE-2020-24353",
"lastModified": "2024-11-21T05:14:39.037",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-09T14:15:14.897",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://community.pega.com/knowledgebase/products/platform/release-notes"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://community.pega.com/knowledgebase/products/platform/resolved-issues?q=527502"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://community.pega.com/knowledgebase/products/platform/release-notes"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://community.pega.com/knowledgebase/products/platform/resolved-issues?q=527502"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-26 18:15
Modified
2024-11-21 04:30
Severity ?
Summary
PEGA Platform 8.3.0 is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyStream=MyAlerts request to get Audit Log information while using a low-privilege account. NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.cybercastrum.com/2019/11/25/cve-2019-16388/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.cybercastrum.com/2019/11/25/cve-2019-16388/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pega | pega_platform | 8.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:pega_platform:8.3:*:*:*:*:*:*:*",
"matchCriteriaId": "93EDE2E4-E5BA-43CA-A829-B950915B76D0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PEGA Platform 8.3.0 is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyStream=MyAlerts request to get Audit Log information while using a low-privilege account. NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect"
},
{
"lang": "es",
"value": "** EN DISPUTA ** PEGA Platform versi\u00f3n 8.3.0, es vulnerable a una divulgaci\u00f3n de informaci\u00f3n por medio de una petici\u00f3n directa de prweb/sso/random_token/!STANDARD?pyStream=MyAlerts para obtener informaci\u00f3n del Registro de Auditor\u00eda mientras utiliza una cuenta de bajo privilegio. NOTA: El proveedor afirma que esta vulnerabilidad se descubri\u00f3 mediante una cuenta de administrador y que son funciones de administrador normales. Por lo tanto, la afirmaci\u00f3n de que el CVE se hizo con una cuenta de privilegios bajos es incorrecta."
}
],
"id": "CVE-2019-16388",
"lastModified": "2024-11-21T04:30:37.103",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-26T18:15:15.523",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.cybercastrum.com/2019/11/25/cve-2019-16388/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.cybercastrum.com/2019/11/25/cve-2019-16388/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-425"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-06-22 21:15
Modified
2024-11-21 07:54
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prior to 8.x may be utilizing default credentials.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pega | pega_platform | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:pega_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6C36507F-B90C-481F-9E47-9C5F8B33966D",
"versionEndIncluding": "8.8.3",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prior to 8.x may be utilizing default credentials."
}
],
"id": "CVE-2023-28094",
"lastModified": "2024-11-21T07:54:23.410",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "security@pega.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-22T21:15:09.163",
"references": [
{
"source": "security@pega.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-c23-vulnerability-default-operators?"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-c23-vulnerability-default-operators?"
}
],
"sourceIdentifier": "security@pega.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1393"
}
],
"source": "security@pega.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-02-27 15:29
Modified
2024-11-21 03:18
Severity ?
Summary
An XSS issue was discovered in Designer Studio in Pegasystems Pega Platform 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2, 7.2.1, and 7.2.2. A user with developer credentials can insert malicious code (up to 64 characters) into a text field in Designer Studio, after establishing context. Designer Studio is the developer workbench for Pega Platform. That XSS payload will execute when other developers visit the affected pages.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pega | pega_platform | 7.1.7 | |
| pega | pega_platform | 7.1.8 | |
| pega | pega_platform | 7.1.9 | |
| pega | pega_platform | 7.1.10 | |
| pega | pega_platform | 7.2 | |
| pega | pega_platform | 7.2.1 | |
| pega | pega_platform | 7.2.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:pega_platform:7.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "A5D9BC47-71D5-4B94-A080-CFAC9333B2FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pega:pega_platform:7.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "B4E12061-0EE0-438C-8404-ECE0F47B0618",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pega:pega_platform:7.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "7CFE81F3-D39E-4C6E-AFD3-079557547329",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pega:pega_platform:7.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "919692B1-B283-4B23-A5D8-7319A11F319E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pega:pega_platform:7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "ED25574F-17E0-488D-998C-3840BD4BB742",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pega:pega_platform:7.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D15022B1-12CE-446D-95D8-FF81D8974897",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pega:pega_platform:7.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "6229EED8-044C-4DB0-94BB-2451D54BE1C5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An XSS issue was discovered in Designer Studio in Pegasystems Pega Platform 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2, 7.2.1, and 7.2.2. A user with developer credentials can insert malicious code (up to 64 characters) into a text field in Designer Studio, after establishing context. Designer Studio is the developer workbench for Pega Platform. That XSS payload will execute when other developers visit the affected pages."
},
{
"lang": "es",
"value": "Se ha descubierto un problema de XSS en Designer Studio en Pegasystems Pega Platform 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2, 7.2.1 y 7.2.2. Un usuario con credenciales de desarrollador puede insertar c\u00f3digo malicioso (hasta 64 caracteres) en un campo de texto en Designer Studio, tras haber establecido el contexto. Designer Studio es el \u00e1rea de trabajo para Pega Platform. La carga \u00fatil de XSS se ejecutar\u00e1 cuando otros desarrolladores visiten las p\u00e1ginas afectadas."
}
],
"id": "CVE-2017-17478",
"lastModified": "2024-11-21T03:18:00.670",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-27T15:29:00.443",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-17478/pegasystems-security-bulletin-cve-2017-17478"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-17478/pegasystems-security-bulletin-cve-2017-17478"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-06-09 21:15
Modified
2024-11-21 07:51
Severity ?
Summary
Pega Platform versions 7.2 to 8.8.1 are affected by an XSS issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pega | pega_platform | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:pega_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FEEFD965-9089-473F-8443-D4CC25C297F8",
"versionEndIncluding": "8.8.1",
"versionStartIncluding": "7.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform versions 7.2 to 8.8.1 are affected by an XSS issue."
},
{
"lang": "es",
"value": "Las versiones 7.2 a 8.8.1 de Pega Platform est\u00e1n afectadas por un problema de Cross-Site Scripting (XSS). "
}
],
"id": "CVE-2023-26465",
"lastModified": "2024-11-21T07:51:33.403",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "security@pega.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-09T21:15:09.413",
"references": [
{
"source": "security@pega.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-a23-vulnerability-remediation-note"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-a23-vulnerability-remediation-note"
}
],
"sourceIdentifier": "security@pega.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@pega.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-08-22 15:15
Modified
2024-11-21 07:11
Severity ?
Summary
Pega Platform from 8.3 to 8.7.3 vulnerability may allow authenticated security administrators to alter CSRF settings directly.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pega | pega_platform | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:pega_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5206A56E-02D0-4547-AD67-902AB8885C8A",
"versionEndIncluding": "8.7.3",
"versionStartIncluding": "8.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform from 8.3 to 8.7.3 vulnerability may allow authenticated security administrators to alter CSRF settings directly."
},
{
"lang": "es",
"value": "La vulnerabilidad de Pega Platform versiones desde 8.3 a 8.7.3, puede permitir a administradores de seguridad autenticados alterar la configuraci\u00f3n de tipo CSRF directamente."
}
],
"id": "CVE-2022-35656",
"lastModified": "2024-11-21T07:11:26.980",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 0.9,
"impactScore": 5.9,
"source": "security@pega.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-22T15:15:16.713",
"references": [
{
"source": "security@pega.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"sourceIdentifier": "security@pega.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "security@pega.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-12 19:15
Modified
2024-11-21 05:05
Severity ?
Summary
pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper access control vulnerability via =GetWebInfo.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pega | pega_platform | 8.4.0.237 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:pega_platform:8.4.0.237:*:*:*:*:*:*:*",
"matchCriteriaId": "2ED8DD11-875D-4415-B473-D032B85E785D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper access control vulnerability via =GetWebInfo."
},
{
"lang": "es",
"value": "pyActivity en Pega Platform versi\u00f3n 8.4.0.237, tiene una configuraci\u00f3n inapropiada de seguridad que conlleva a una vulnerabilidad de control de acceso inapropiado por medio de =GetWebInfo"
}
],
"id": "CVE-2020-15390",
"lastModified": "2024-11-21T05:05:28.330",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-12T19:15:13.737",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://jayaramyalla.medium.com/sensitive-information-disclosure-due-to-improper-access-control-cve-2020-15390-124573c15824"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://jayaramyalla.medium.com/sensitive-information-disclosure-due-to-improper-access-control-cve-2020-15390-124573c15824"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-08-07 12:15
Modified
2024-11-21 08:02
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Pega platform clients who are using versions 6.1 through 7.3.1 may be
utilizing default credentials
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pega | pega_platform | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:pega_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D43B508A-73F9-4194-ADD8-81BCE889996A",
"versionEndIncluding": "7.3.1",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pega platform clients who are using versions 6.1 through 7.3.1 may be\nutilizing default credentials\n\n\n\n"
}
],
"id": "CVE-2023-32090",
"lastModified": "2024-11-21T08:02:41.450",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security@pega.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-08-07T12:15:10.433",
"references": [
{
"source": "security@pega.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-c23-vulnerability-default-operators"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-c23-vulnerability-default-operators"
}
],
"sourceIdentifier": "security@pega.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1393"
}
],
"source": "security@pega.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-26 18:15
Modified
2024-11-21 04:30
Severity ?
Summary
PEGA Platform 7.x and 8.x is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyActivity=GetWebInfo&target=popup&pzHarnessID=random_harness_id request to get database schema information while using a low-privilege account. NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.cybercastrum.com/2019/11/25/cve-2019-16386/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.cybercastrum.com/2019/11/25/cve-2019-16386/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pega | pega_platform | * | |
| pega | pega_platform | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:pega_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2A2B5CC5-9194-46A1-A0C0-E841E5FA6583",
"versionEndIncluding": "7.4.0",
"versionStartIncluding": "7.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pega:pega_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F5C2F008-5151-42C7-AD6F-44DEF9596C55",
"versionEndIncluding": "8.3.1",
"versionStartIncluding": "8.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PEGA Platform 7.x and 8.x is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyActivity=GetWebInfo\u0026target=popup\u0026pzHarnessID=random_harness_id request to get database schema information while using a low-privilege account. NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect"
},
{
"lang": "es",
"value": "** EN DISPUTA ** PEGA Platform versiones 7.x y 8.x, es vulnerable a una divulgaci\u00f3n de informaci\u00f3n por medio de una petici\u00f3n directa de prweb/sso/random_token/!STANDARD?pyActivity=GetWebInfo\u0026amp;target=popup\u0026amp;pzHarnessID=random_harness_id para obtener informaci\u00f3n del esquema de la base de datos mientras utiliza una cuenta de bajo privilegio. NOTA: El proveedor afirma que esta vulnerabilidad se descubri\u00f3 mediante una cuenta de administrador y que son funciones de administrador normales. Por lo tanto, la afirmaci\u00f3n de que el CVE se hizo con una cuenta de privilegios bajos es incorrecta."
}
],
"id": "CVE-2019-16386",
"lastModified": "2024-11-21T04:30:36.817",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-26T18:15:15.383",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.cybercastrum.com/2019/11/25/cve-2019-16386/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.cybercastrum.com/2019/11/25/cve-2019-16386/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-425"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-06 18:15
Modified
2025-02-18 13:43
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Pega Platform from 7.1.7 to 23.1.1 is affected by an XSS issue with editing/rendering user html content.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pega | pega_platform | * | |
| pega | pega_platform | 23.1.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:pega_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A5EA8AFB-67D6-4EA3-80B7-7B547CF4481B",
"versionEndExcluding": "8.8.5",
"versionStartIncluding": "7.1.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pega:pega_platform:23.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6E4BE3C3-BCBC-4E12-9967-3E01A44AAC71",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform from 7.1.7 to 23.1.1 is affected by an XSS issue with editing/rendering user html content."
},
{
"lang": "es",
"value": "Pega Platform de 7.1.7 a 23.1.1 se ve afectada por un problema XSS con la edici\u00f3n/presentaci\u00f3n de contenido html del usuario."
}
],
"id": "CVE-2023-50167",
"lastModified": "2025-02-18T13:43:27.293",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "security@pega.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-06T18:15:46.133",
"references": [
{
"source": "security@pega.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-i23-vulnerability-remediation-note"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-i23-vulnerability-remediation-note"
}
],
"sourceIdentifier": "security@pega.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@pega.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-08-02 19:29
Modified
2024-11-21 03:07
Severity ?
Summary
The application distribution export functionality in PEGA Platform 7.2 ML0 and earlier allows remote authenticated users with certain privileges to obtain sensitive configuration information by leveraging a missing access control.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pega | pega_platform | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:pega_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D99B50FB-B3F8-45B0-AF05-590CEBA16EA5",
"versionEndIncluding": "7.2_ml0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The application distribution export functionality in PEGA Platform 7.2 ML0 and earlier allows remote authenticated users with certain privileges to obtain sensitive configuration information by leveraging a missing access control."
},
{
"lang": "es",
"value": "La funcionalidad de exportaci\u00f3n de distribuciones de aplicaciones en PEGA Platform 7.2 ML0 y anteriores permite que los usuarios autenticados con los privilegios adecuados obtengan informaci\u00f3n sensible de configuraciones usando un control de acceso que no exist\u00eda."
}
],
"id": "CVE-2017-11356",
"lastModified": "2024-11-21T03:07:38.353",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-02T19:29:00.773",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2017/Jul/28"
},
{
"source": "cve@mitre.org",
"url": "https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-11355-and-cve-2017-11356/pegasystems-security-bulletin-cve"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/42335/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2017/Jul/28"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-11355-and-cve-2017-11356/pegasystems-security-bulletin-cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/42335/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-08-02 19:29
Modified
2024-11-21 03:07
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform 7.2 ML0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to the main page; the (2) beanReference parameter to the JavaBean viewer page; or the (3) pyTableName to the System database schema modification page.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pega | pega_platform | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:pega_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D99B50FB-B3F8-45B0-AF05-590CEBA16EA5",
"versionEndIncluding": "7.2_ml0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform 7.2 ML0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to the main page; the (2) beanReference parameter to the JavaBean viewer page; or the (3) pyTableName to the System database schema modification page."
},
{
"lang": "es",
"value": "Existen m\u00faltiples vulnerabilidades de tipo Cross-Site Scripting (XSS) en PEGA Platform 7.2 ML0 y anteriores que permiten a los atacantes inyectar scripts web o HTML arbitrarios con (1) PATH_INFO en la p\u00e1gina principal; (2) el par\u00e1metro beanReference en la p\u00e1gina del visor JavaBean; o (3) pyTableName en la p\u00e1gina de modificaci\u00f3n del esquema de base de datos del sistema."
}
],
"id": "CVE-2017-11355",
"lastModified": "2024-11-21T03:07:38.210",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-02T19:29:00.740",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2017/Jul/28"
},
{
"source": "cve@mitre.org",
"url": "https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-11355-and-cve-2017-11356/pegasystems-security-bulletin-cve"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/42335/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2017/Jul/28"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-11355-and-cve-2017-11356/pegasystems-security-bulletin-cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/42335/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-04-29 15:15
Modified
2024-11-21 05:39
Severity ?
Summary
Pega Platform before version 8.2.6 is affected by a Reflected Cross-Site Scripting vulnerability in the "ActionStringID" function.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://community.pega.com/node/1913996 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://community.pega.com/node/1913996 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pega | pega_platform | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:pega_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A9165646-EFB8-48FE-BE26-C78C6D812A1D",
"versionEndExcluding": "8.2.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform before version 8.2.6 is affected by a Reflected Cross-Site Scripting vulnerability in the \"ActionStringID\" function."
},
{
"lang": "es",
"value": "Pega Platform versiones anteriores a 8.2.6, est\u00e1 afectada por una vulnerabilidad de tipo Cross-Site Scripting Reflejado en la funci\u00f3n \"ActionStringID\"."
}
],
"id": "CVE-2020-8774",
"lastModified": "2024-11-21T05:39:24.813",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.3,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-04-29T15:15:11.473",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://community.pega.com/node/1913996"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://community.pega.com/node/1913996"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-15 21:15
Modified
2024-11-21 05:14
Severity ?
Summary
Pega Platform through 8.4.x is affected by Cross Site Scripting (XSS) via the ConnectionID parameter, as demonstrated by a pyActivity=Data-TRACERSettings.pzStartTracerSession request to a PRAuth URI.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://jayaramyalla.medium.com/cross-site-scripting-in-pega-cve-2020-23957-16d1c417da5f | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jayaramyalla.medium.com/cross-site-scripting-in-pega-cve-2020-23957-16d1c417da5f | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pega | pega_platform | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:pega_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "82CB47EE-719A-402A-A920-51EBEF030096",
"versionEndIncluding": "8.4.2",
"versionStartIncluding": "8.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform through 8.4.x is affected by Cross Site Scripting (XSS) via the ConnectionID parameter, as demonstrated by a pyActivity=Data-TRACERSettings.pzStartTracerSession request to a PRAuth URI."
},
{
"lang": "es",
"value": "Pega Platform versiones hasta 8.4.x, est\u00e1 afectada por una vulnerabilidad de tipo Cross Site Scripting (XSS) por medio del par\u00e1metro ConnectionID, como es demostrado por una petici\u00f3n pyActivity=Data-TRACERSettings.pzStartTracerSession hacia un URI PRAuth"
}
],
"id": "CVE-2020-23957",
"lastModified": "2024-11-21T05:14:15.313",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-15T21:15:15.157",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://jayaramyalla.medium.com/cross-site-scripting-in-pega-cve-2020-23957-16d1c417da5f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://jayaramyalla.medium.com/cross-site-scripting-in-pega-cve-2020-23957-16d1c417da5f"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-09-08 17:15
Modified
2024-11-21 08:36
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pega | pega_platform | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:pega_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "710BB881-CF11-4498-AB0E-54E3B4944C2E",
"versionEndIncluding": "8.8.3",
"versionStartIncluding": "7.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user."
},
{
"lang": "es",
"value": "Las versiones 7.1 a 8.8.3 de Pega Platform se ven afectadas por un problema de Inyecci\u00f3n HTML con un campo de nombre utilizado en Visual Business Director, sin embargo, este campo solo puede ser modificado por un usuario administrativo autenticado."
}
],
"id": "CVE-2023-4843",
"lastModified": "2024-11-21T08:36:05.370",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 3.4,
"source": "security@pega.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-08T17:15:30.570",
"references": [
{
"source": "security@pega.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-d23-vulnerability-remediation-note?"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-d23-vulnerability-remediation-note?"
}
],
"sourceIdentifier": "security@pega.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "security@pega.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-08-22 15:15
Modified
2024-11-21 07:11
Severity ?
Summary
Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pega | pega_platform | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:pega_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADCA1F2F-5451-4110-8D32-B1481EDCC076",
"versionEndIncluding": "8.7.3",
"versionStartIncluding": "7.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting."
},
{
"lang": "es",
"value": "Pega Platform versiones desde 7.3 a 8.7.3, est\u00e1 afectada por un problema de tipo XSS debido a una configuraci\u00f3n err\u00f3nea de un ajuste de la p\u00e1gina de datos."
}
],
"id": "CVE-2022-35655",
"lastModified": "2024-11-21T07:11:26.867",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security@pega.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-22T15:15:16.663",
"references": [
{
"source": "security@pega.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"sourceIdentifier": "security@pega.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@pega.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}