Lucene search

Pega Platform Security Vulnerabilities

cve

CVE-2017-11355

Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform 7.2 ML0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to the main page; the (2) beanReference parameter to the JavaBean viewer page; or the (3) pyTableName to the System database s...

6.1CVSS

6AI Score

0.002EPSS

2017-08-02 07:29 PM

cve

CVE-2017-11356

The application distribution export functionality in PEGA Platform 7.2 ML0 and earlier allows remote authenticated users with certain privileges to obtain sensitive configuration information by leveraging a missing access control.

6.5CVSS

5.9AI Score

0.001EPSS

2017-08-02 07:29 PM

cve

CVE-2017-17478

An XSS issue was discovered in Designer Studio in Pegasystems Pega Platform 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2, 7.2.1, and 7.2.2. A user with developer credentials can insert malicious code (up to 64 characters) into a text field in Designer Studio, after establishing context. Designer Studio is the ...

4.8CVSS

5AI Score

0.001EPSS

2018-02-27 03:29 PM

cve

CVE-2019-16374

Pega Platform 8.2.1 allows LDAP injection because a username can contain a * character and can be of unlimited length. An attacker can specify four characters of a username, followed by the * character, to bypass access control.

9.8CVSS

9.4AI Score

0.003EPSS

2020-08-13 01:15 PM

cve

CVE-2019-16386

PEGA Platform 7.x and 8.x is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyActivity=GetWebInfo&target=popup&pzHarnessID=random_harness_id request to get database schema information while using a low-privilege account. NOTE: The vendor states that this vulnerab...

4.3CVSS

4.5AI Score

0.001EPSS

2019-11-26 06:15 PM

cve

CVE-2019-16387

PEGA Platform 8.3.0 is vulnerable to a direct prweb/sso/random_token/!STANDARD?pyActivity=Data-Admin-DB-Name.DBSchema_ListDatabases request while using a low-privilege account. (This can perform actions and retrieve data that only an administrator should have access to.) NOTE: The vendor states tha...

8.1CVSS

8AI Score

0.001EPSS

2019-11-26 06:15 PM

cve

CVE-2019-16388

PEGA Platform 8.3.0 is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyStream=MyAlerts request to get Audit Log information while using a low-privilege account. NOTE: The vendor states that this vulnerability was discovered using an administrator account and the...

4.3CVSS

4.5AI Score

0.001EPSS

2019-11-26 06:15 PM

cve

CVE-2020-15390

pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper access control vulnerability via =GetWebInfo.

9.8CVSS

9.3AI Score

0.004EPSS

2021-04-12 07:15 PM

cve

CVE-2020-23957

Pega Platform through 8.4.x is affected by Cross Site Scripting (XSS) via the ConnectionID parameter, as demonstrated by a pyActivity=Data-TRACERSettings.pzStartTracerSession request to a PRAuth URI.

6.1CVSS

6AI Score

0.001EPSS

2020-12-15 09:15 PM

cve

CVE-2020-24353

Pega Platform before 8.4.0 has a XSS issue via stream rule parameters used in the request header.

6.1CVSS

6AI Score

0.001EPSS

2020-11-09 02:15 PM

cve

CVE-2020-8773

The Richtext Editor in Pega Platform before 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability.

8.9CVSS

7.2AI Score

0.001EPSS

2020-04-29 03:15 PM

cve

CVE-2020-8774

Pega Platform before version 8.2.6 is affected by a Reflected Cross-Site Scripting vulnerability in the "ActionStringID" function.

8.8CVSS

7.9AI Score

0.002EPSS

2020-04-29 03:15 PM

cve

CVE-2020-8775

Pega Platform before version 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability in the comment tags.

8.9CVSS

6.9AI Score

0.001EPSS

2020-04-29 04:15 PM

cve

CVE-2022-35654

Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter.

6.1CVSS

6AI Score

0.001EPSS

2022-08-22 03:15 PM

cve

CVE-2022-35655

Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting.

6.1CVSS

5.9AI Score

0.001EPSS

2022-08-22 03:15 PM

cve

CVE-2022-35656

Pega Platform from 8.3 to 8.7.3 vulnerability may allow authenticated security administrators to alter CSRF settings directly.

4.5CVSS

4.7AI Score

0.0005EPSS

2022-08-22 03:15 PM

cve

CVE-2023-26465

Pega Platform versions 7.2 to 8.8.1 are affected by an XSS issue.

6.1CVSS

7.3AI Score

0.0005EPSS

2023-06-09 09:15 PM

cve

CVE-2023-28094

Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prior to 8.x may be utilizing default credentials.

9.8CVSS

9.3AI Score

0.002EPSS

2023-06-22 09:15 PM

cve

CVE-2023-32087

Pega Platform versions 8.1 to Infinity 23.1.0 are affected by an XSS issue with task creation

6.1CVSS

5.9AI Score

0.001EPSS

2023-10-18 12:15 PM

cve

CVE-2023-32088

Pega Platform versions 8.1 to Infinity 23.1.0 are affected by an XSS issue with ad-hoc case creation

6.1CVSS

5.9AI Score

0.001EPSS

2023-10-18 12:15 PM

cve

CVE-2023-32089

Pega Platform versions 8.1 to 8.8.2 are affected by an XSS issue with Pin description

6.1CVSS

5.9AI Score

0.001EPSS

2023-10-18 12:15 PM

cve

CVE-2023-32090

Pega platform clients who are using versions 6.1 through 7.3.1 may beutilizing default credentials

9.8CVSS

9.3AI Score

0.002EPSS

2023-08-07 12:15 PM

cve

CVE-2023-4843

Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user.

4.8CVSS

5.1AI Score

0.001EPSS

2023-09-08 05:15 PM

cve

CVE-2023-50165

Pega Platform versions 8.2.1 to Infinity 23.1.0 are affected by an Generated PDF issue that could expose file contents.

8.6CVSS

8.4AI Score

0.001EPSS

2024-01-31 06:15 PM

cve

CVE-2023-50166

Pega Platform from 8.5.4 to 8.8.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter.

6.1CVSS

6AI Score

0.001EPSS

2024-01-31 06:15 PM