Search

Find a vulnerability

Search criteria

    20 vulnerabilities found for infinity by pega

    CVE-2024-10716 (GCVE-0-2024-10716)

    Vulnerability from nvd – Published: 2024-12-05 15:28 – Updated: 2024-12-05 16:30
    VLAI
    Summary
    Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.1 , < 24.2.1 (custom)
    Create a notification for this product.
    Credits
    Konrad Zbylut
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10716",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-05T16:30:51.236868Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-05T16:30:58.223Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "24.2.1",
                  "status": "affected",
                  "version": "8.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Konrad Zbylut"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-05T15:45:17.602Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://support.pega.com/support-doc/pega-security-advisory-e24-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2024-10716",
        "datePublished": "2024-12-05T15:28:29.644Z",
        "dateReserved": "2024-11-01T22:15:22.698Z",
        "dateUpdated": "2024-12-05T16:30:58.223Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-10094 (GCVE-0-2024-10094)

    Vulnerability from nvd – Published: 2024-11-20 14:45 – Updated: 2024-11-20 15:39
    VLAI
    Summary
    Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 6.1 , < 24.1.2 (custom)
    Create a notification for this product.
    pegasystems pega_infinity Affected: 6.1 , < 24.1.2 (custom)
        cpe:2.3:a:pegasystems:pega_infinity:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Daniel Wiseman from Commonwealth Bank of Australia
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:pegasystems:pega_infinity:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "pega_infinity",
                "vendor": "pegasystems",
                "versions": [
                  {
                    "lessThan": "24.1.2",
                    "status": "affected",
                    "version": "6.1",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10094",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-20T15:37:50.121588Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-20T15:39:07.542Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "24.1.2",
                  "status": "affected",
                  "version": "6.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Daniel Wiseman from Commonwealth Bank of Australia"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-20T14:45:22.464Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "url": "https://support.pega.com/support-doc/pega-security-advisory-d24-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2024-10094",
        "datePublished": "2024-11-20T14:45:22.464Z",
        "dateReserved": "2024-10-17T16:14:24.687Z",
        "dateUpdated": "2024-11-20T15:39:07.542Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-6702 (GCVE-0-2024-6702)

    Vulnerability from nvd – Published: 2024-09-12 14:25 – Updated: 2024-09-12 15:04
    VLAI
    Summary
    Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.1 , < 24.1.3 (custom)
    Create a notification for this product.
    Credits
    Andrea Solenne Christian Romano Lapo Mezzani
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6702",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-12T15:04:40.842270Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-12T15:04:50.576Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "24.1.3",
                  "status": "affected",
                  "version": "8.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Andrea Solenne"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Christian Romano"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Lapo Mezzani"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-12T14:29:06.562Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://support.pega.com/support-doc/pega-security-advisory-c24-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2024-6702",
        "datePublished": "2024-09-12T14:25:44.692Z",
        "dateReserved": "2024-07-11T18:55:54.085Z",
        "dateUpdated": "2024-09-12T15:04:50.576Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-6701 (GCVE-0-2024-6701)

    Vulnerability from nvd – Published: 2024-09-12 14:25 – Updated: 2024-09-12 15:05
    VLAI
    Summary
    Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.1 , < 24.1.3 (custom)
    Create a notification for this product.
    Credits
    Andrea Solenne Christian Romano Lapo Mezzani
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6701",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-12T15:05:41.616361Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-12T15:05:49.076Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "24.1.3",
                  "status": "affected",
                  "version": "8.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Andrea Solenne"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Christian Romano"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Lapo Mezzani"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 Cross-Site Scripting (XSS)"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-12T14:25:28.473Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://support.pega.com/support-doc/pega-security-advisory-c24-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2024-6701",
        "datePublished": "2024-09-12T14:25:28.473Z",
        "dateReserved": "2024-07-11T18:55:52.822Z",
        "dateUpdated": "2024-09-12T15:05:49.076Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-6700 (GCVE-0-2024-6700)

    Vulnerability from nvd – Published: 2024-09-12 14:24 – Updated: 2024-09-12 15:06
    VLAI
    Summary
    Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with App name.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.1 , < 24.1.3 (custom)
    Create a notification for this product.
    Credits
    Andrea Solenne Christian Romano Lapo Mezzani
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6700",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-12T15:06:33.383533Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-12T15:06:40.532Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "24.1.3",
                  "status": "affected",
                  "version": "8.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Andrea Solenne"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Christian Romano"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Lapo Mezzani"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with App name.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with App name."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 Cross-Site Scripting (XSS)"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-12T14:24:08.681Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://support.pega.com/support-doc/pega-security-advisory-c24-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2024-6700",
        "datePublished": "2024-09-12T14:24:08.681Z",
        "dateReserved": "2024-07-11T18:55:50.150Z",
        "dateUpdated": "2024-09-12T15:06:40.532Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-24083 (GCVE-0-2022-24083)

    Vulnerability from nvd – Published: 2022-07-25 16:07 – Updated: 2024-08-03 03:59
    VLAI
    Summary
    Password authentication bypass vulnerability for local accounts can be used to bypass local authentication checks.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 7.3.1 , < unspecified (custom)
    Affected: unspecified , < 8.7.2 (custom)
    Create a notification for this product.
    Credits
    Lewis Churchill and Daniel Wiseman, from Commonwealth Bank of Australia
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:59:23.635Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://support.pega.com/support-doc/pega-security-advisory-c22-vulnerability-%E2%80%93-hotfix-matrix-0"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "7.3.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.7.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Lewis Churchill and Daniel Wiseman, from Commonwealth Bank of Australia"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Password authentication bypass vulnerability for local accounts can be used to bypass local authentication checks."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-25T16:07:16.000Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://support.pega.com/support-doc/pega-security-advisory-c22-vulnerability-%E2%80%93-hotfix-matrix-0"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pega.com",
              "ID": "CVE-2022-24083",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pega Infinity",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "7.3.1"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.7.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pegasystems"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Lewis Churchill and Daniel Wiseman, from Commonwealth Bank of Australia"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Password authentication bypass vulnerability for local accounts can be used to bypass local authentication checks."
                }
              ]
            },
            "impact": {
              "cvssv3": {
                "BM": {
                  "A": "H",
                  "AC": "L",
                  "AV": "N",
                  "C": "H",
                  "I": "H",
                  "PR": "N",
                  "S": "U",
                  "UI": "N"
                }
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-285: Improper Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.pega.com/support-doc/pega-security-advisory-c22-vulnerability-%E2%80%93-hotfix-matrix-0",
                  "refsource": "MISC",
                  "url": "https://support.pega.com/support-doc/pega-security-advisory-c22-vulnerability-%E2%80%93-hotfix-matrix-0"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2022-24083",
        "datePublished": "2022-07-25T16:07:16.000Z",
        "dateReserved": "2022-01-27T00:00:00.000Z",
        "dateUpdated": "2024-08-03T03:59:23.635Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-24082 (GCVE-0-2022-24082)

    Vulnerability from nvd – Published: 2022-07-19 00:00 – Updated: 2024-08-03 03:59
    VLAI
    Summary
    If an on-premise installation of the Pega Platform is configured with the port for the JMX interface exposed to the Internet and port filtering is not properly configured, then it may be possible to upload serialized payloads to attack the underlying system. This does not affect systems running on PegaCloud due to its design and architecture.
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.1.0 , < unspecified (custom)
    Affected: unspecified , < 8.7.3 (custom)
    Create a notification for this product.
    Credits
    Marcin Wolak, Rabobank Red Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:59:23.700Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://support.pega.com/support-doc/pega-security-advisory-b22-vulnerability-%E2%80%93-hotfix-matrix-0"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/169480/Pega-Platform-8.7.3-Remote-Code-Execution.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.7.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Marcin Wolak, Rabobank Red Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "If an on-premise installation of the Pega Platform is configured with the port for the JMX interface exposed to the Internet and port filtering is not properly configured, then it may be possible to upload serialized payloads to attack the underlying system. This does not affect systems running on PegaCloud due to its design and architecture."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-10-24T00:00:00.000Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "url": "https://support.pega.com/support-doc/pega-security-advisory-b22-vulnerability-%E2%80%93-hotfix-matrix-0"
            },
            {
              "url": "http://packetstormsecurity.com/files/169480/Pega-Platform-8.7.3-Remote-Code-Execution.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2022-24082",
        "datePublished": "2022-07-19T00:00:00.000Z",
        "dateReserved": "2022-01-27T00:00:00.000Z",
        "dateUpdated": "2024-08-03T03:59:23.700Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-27654 (GCVE-0-2021-27654)

    Vulnerability from nvd – Published: 2022-01-28 19:09 – Updated: 2024-08-03 21:26
    VLAI
    Summary
    Forgotten password reset functionality for local accounts can be used to bypass local authentication checks.
    CWE
    • CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
    Assigner
    References
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.2.1 , < unspecified (custom)
    Affected: unspecified , < 8.6.1 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T21:26:10.620Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://collaborate.pega.com/discussion/pega-security-advisory-c21"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.2.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.6.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Forgotten password reset functionality for local accounts can be used to bypass local authentication checks."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "exploitCodeMaturity": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "remediationLevel": "OFFICIAL_FIX",
                "reportConfidence": "CONFIRMED",
                "scope": "UNCHANGED",
                "temporalScore": 8.4,
                "temporalSeverity": "HIGH",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-640",
                  "description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-28T19:09:31.000Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://collaborate.pega.com/discussion/pega-security-advisory-c21"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pega.com",
              "ID": "CVE-2021-27654",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pega Infinity",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.2.1"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.6.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pegasystems"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Forgotten password reset functionality for local accounts can be used to bypass local authentication checks."
                }
              ]
            },
            "impact": {
              "cvssv3": {
                "BM": {
                  "A": "H",
                  "AC": "L",
                  "AV": "N",
                  "C": "H",
                  "I": "H",
                  "PR": "N",
                  "S": "U",
                  "UI": "R"
                },
                "EM": {
                  "AR": "H",
                  "CR": "H",
                  "IR": "H",
                  "MA": "H",
                  "MAC": "L",
                  "MAV": "N",
                  "MC": "H",
                  "MI": "H",
                  "MPR": "N",
                  "MS": "U",
                  "MUI": "R"
                },
                "TM": {
                  "E": "H",
                  "RC": "C",
                  "RL": "O"
                }
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://collaborate.pega.com/discussion/pega-security-advisory-c21",
                  "refsource": "MISC",
                  "url": "https://collaborate.pega.com/discussion/pega-security-advisory-c21"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2021-27654",
        "datePublished": "2022-01-28T19:09:31.000Z",
        "dateReserved": "2021-02-24T00:00:00.000Z",
        "dateUpdated": "2024-08-03T21:26:10.620Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-27651 (GCVE-0-2021-27651)

    Vulnerability from nvd – Published: 2021-04-29 14:47 – Updated: 2024-08-03 21:26
    VLAI
    Summary
    In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.2.1 , < unspecified (custom)
    Affected: unspecified , < 8.5.2 (custom)
    Create a notification for this product.
    Credits
    Samuel Curry (@samwcyo), Brett Buerhaus (@bbuerhaus), Maik Robert (@xEHLE_), Justin Rhinehart (@sshell_)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T21:26:10.645Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://collaborate.pega.com/discussion/pega-security-advisory-a21-hotfix-matrix"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.2.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.5.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Samuel Curry (@samwcyo), Brett Buerhaus (@bbuerhaus), Maik Robert (@xEHLE_), Justin Rhinehart (@sshell_)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "exploitCodeMaturity": "FUNCTIONAL",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "remediationLevel": "OFFICIAL_FIX",
                "reportConfidence": "CONFIRMED",
                "scope": "UNCHANGED",
                "temporalScore": 9.1,
                "temporalSeverity": "CRITICAL",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-29T14:47:20.000Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://collaborate.pega.com/discussion/pega-security-advisory-a21-hotfix-matrix"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pega.com",
              "ID": "CVE-2021-27651",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pega Infinity",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.2.1"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pegasystems"
                  }
                ]
              }
            },
            "credit": "Samuel Curry (@samwcyo), Brett Buerhaus (@bbuerhaus), Maik Robert (@xEHLE_), Justin Rhinehart (@sshell_)",
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks."
                }
              ]
            },
            "impact": {
              "cvssv3": {
                "BM": {
                  "A": "H",
                  "AC": "L",
                  "AV": "N",
                  "C": "H",
                  "I": "H",
                  "PR": "N",
                  "S": "U",
                  "UI": "N"
                },
                "EM": {
                  "AR": "H",
                  "CR": "H",
                  "IR": "H",
                  "MA": "L",
                  "MAC": "L",
                  "MAV": "N",
                  "MC": "L",
                  "MI": "L",
                  "MPR": "N",
                  "MS": "U",
                  "MUI": "R"
                },
                "TM": {
                  "E": "F",
                  "RC": "C",
                  "RL": "O"
                }
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-287: Improper Authentication"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://collaborate.pega.com/discussion/pega-security-advisory-a21-hotfix-matrix",
                  "refsource": "CONFIRM",
                  "url": "https://collaborate.pega.com/discussion/pega-security-advisory-a21-hotfix-matrix"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2021-27651",
        "datePublished": "2021-04-29T14:47:20.000Z",
        "dateReserved": "2021-02-24T00:00:00.000Z",
        "dateUpdated": "2024-08-03T21:26:10.645Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-27653 (GCVE-0-2021-27653)

    Vulnerability from nvd – Published: 2021-04-01 18:38 – Updated: 2024-09-16 23:11
    VLAI
    Summary
    Misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 - 8.5.x could lead to unintended data exposure.
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    Pega Systems Pega Infinity Affected: >=7.4.0, <8.5.3
    Create a notification for this product.
    Date Public
    2021-03-30 00:00
    Credits
    Sakura Samurai Robert Willis, Aubrey Cottle, Jackson Henry, and John Jackson, Collaborator Break3r
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T21:26:10.698Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://collaborate.pega.com/discussion/pega-security-advisory-%E2%80%93-b21"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://robertwillishacking.com/census-vulnerability-exposes-10k-oauth-tokens-thousands-of-user-records/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pega Infinity",
              "vendor": "Pega Systems",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e=7.4.0, \u003c8.5.3"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Sakura Samurai Robert Willis, Aubrey Cottle, Jackson Henry, and John Jackson,  Collaborator Break3r"
            }
          ],
          "datePublic": "2021-03-30T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 - 8.5.x could lead to unintended data exposure."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-03-12T16:02:55.000Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://collaborate.pega.com/discussion/pega-security-advisory-%E2%80%93-b21"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://robertwillishacking.com/census-vulnerability-exposes-10k-oauth-tokens-thousands-of-user-records/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pega.com",
              "DATE_PUBLIC": "2021-03-30T16:45:00.000Z",
              "ID": "CVE-2021-27653",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pega Infinity",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003e=7.4.0, \u003c8.5.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pega Systems"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Sakura Samurai Robert Willis, Aubrey Cottle, Jackson Henry, and John Jackson,  Collaborator Break3r"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 - 8.5.x could lead to unintended data exposure."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-284 Improper Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://collaborate.pega.com/discussion/pega-security-advisory-%E2%80%93-b21",
                  "refsource": "MISC",
                  "url": "https://collaborate.pega.com/discussion/pega-security-advisory-%E2%80%93-b21"
                },
                {
                  "name": "https://robertwillishacking.com/census-vulnerability-exposes-10k-oauth-tokens-thousands-of-user-records/",
                  "refsource": "MISC",
                  "url": "https://robertwillishacking.com/census-vulnerability-exposes-10k-oauth-tokens-thousands-of-user-records/"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2021-27653",
        "datePublished": "2021-04-01T18:38:57.721Z",
        "dateReserved": "2021-02-24T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:11:02.611Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-10716 (GCVE-0-2024-10716)

    Vulnerability from cvelistv5 – Published: 2024-12-05 15:28 – Updated: 2024-12-05 16:30
    VLAI
    Summary
    Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.1 , < 24.2.1 (custom)
    Create a notification for this product.
    Credits
    Konrad Zbylut
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10716",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-05T16:30:51.236868Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-05T16:30:58.223Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "24.2.1",
                  "status": "affected",
                  "version": "8.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Konrad Zbylut"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-05T15:45:17.602Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://support.pega.com/support-doc/pega-security-advisory-e24-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2024-10716",
        "datePublished": "2024-12-05T15:28:29.644Z",
        "dateReserved": "2024-11-01T22:15:22.698Z",
        "dateUpdated": "2024-12-05T16:30:58.223Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-10094 (GCVE-0-2024-10094)

    Vulnerability from cvelistv5 – Published: 2024-11-20 14:45 – Updated: 2024-11-20 15:39
    VLAI
    Summary
    Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 6.1 , < 24.1.2 (custom)
    Create a notification for this product.
    pegasystems pega_infinity Affected: 6.1 , < 24.1.2 (custom)
        cpe:2.3:a:pegasystems:pega_infinity:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Daniel Wiseman from Commonwealth Bank of Australia
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:pegasystems:pega_infinity:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "pega_infinity",
                "vendor": "pegasystems",
                "versions": [
                  {
                    "lessThan": "24.1.2",
                    "status": "affected",
                    "version": "6.1",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10094",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-20T15:37:50.121588Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-20T15:39:07.542Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "24.1.2",
                  "status": "affected",
                  "version": "6.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Daniel Wiseman from Commonwealth Bank of Australia"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-20T14:45:22.464Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "url": "https://support.pega.com/support-doc/pega-security-advisory-d24-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2024-10094",
        "datePublished": "2024-11-20T14:45:22.464Z",
        "dateReserved": "2024-10-17T16:14:24.687Z",
        "dateUpdated": "2024-11-20T15:39:07.542Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-6702 (GCVE-0-2024-6702)

    Vulnerability from cvelistv5 – Published: 2024-09-12 14:25 – Updated: 2024-09-12 15:04
    VLAI
    Summary
    Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.1 , < 24.1.3 (custom)
    Create a notification for this product.
    Credits
    Andrea Solenne Christian Romano Lapo Mezzani
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6702",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-12T15:04:40.842270Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-12T15:04:50.576Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "24.1.3",
                  "status": "affected",
                  "version": "8.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Andrea Solenne"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Christian Romano"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Lapo Mezzani"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-12T14:29:06.562Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://support.pega.com/support-doc/pega-security-advisory-c24-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2024-6702",
        "datePublished": "2024-09-12T14:25:44.692Z",
        "dateReserved": "2024-07-11T18:55:54.085Z",
        "dateUpdated": "2024-09-12T15:04:50.576Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-6701 (GCVE-0-2024-6701)

    Vulnerability from cvelistv5 – Published: 2024-09-12 14:25 – Updated: 2024-09-12 15:05
    VLAI
    Summary
    Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.1 , < 24.1.3 (custom)
    Create a notification for this product.
    Credits
    Andrea Solenne Christian Romano Lapo Mezzani
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6701",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-12T15:05:41.616361Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-12T15:05:49.076Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "24.1.3",
                  "status": "affected",
                  "version": "8.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Andrea Solenne"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Christian Romano"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Lapo Mezzani"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 Cross-Site Scripting (XSS)"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-12T14:25:28.473Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://support.pega.com/support-doc/pega-security-advisory-c24-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2024-6701",
        "datePublished": "2024-09-12T14:25:28.473Z",
        "dateReserved": "2024-07-11T18:55:52.822Z",
        "dateUpdated": "2024-09-12T15:05:49.076Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-6700 (GCVE-0-2024-6700)

    Vulnerability from cvelistv5 – Published: 2024-09-12 14:24 – Updated: 2024-09-12 15:06
    VLAI
    Summary
    Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with App name.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.1 , < 24.1.3 (custom)
    Create a notification for this product.
    Credits
    Andrea Solenne Christian Romano Lapo Mezzani
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6700",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-12T15:06:33.383533Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-12T15:06:40.532Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "24.1.3",
                  "status": "affected",
                  "version": "8.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Andrea Solenne"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Christian Romano"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Lapo Mezzani"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with App name.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with App name."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 Cross-Site Scripting (XSS)"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-12T14:24:08.681Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://support.pega.com/support-doc/pega-security-advisory-c24-vulnerability-remediation-note"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2024-6700",
        "datePublished": "2024-09-12T14:24:08.681Z",
        "dateReserved": "2024-07-11T18:55:50.150Z",
        "dateUpdated": "2024-09-12T15:06:40.532Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-24083 (GCVE-0-2022-24083)

    Vulnerability from cvelistv5 – Published: 2022-07-25 16:07 – Updated: 2024-08-03 03:59
    VLAI
    Summary
    Password authentication bypass vulnerability for local accounts can be used to bypass local authentication checks.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 7.3.1 , < unspecified (custom)
    Affected: unspecified , < 8.7.2 (custom)
    Create a notification for this product.
    Credits
    Lewis Churchill and Daniel Wiseman, from Commonwealth Bank of Australia
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:59:23.635Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://support.pega.com/support-doc/pega-security-advisory-c22-vulnerability-%E2%80%93-hotfix-matrix-0"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "7.3.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.7.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Lewis Churchill and Daniel Wiseman, from Commonwealth Bank of Australia"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Password authentication bypass vulnerability for local accounts can be used to bypass local authentication checks."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-25T16:07:16.000Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://support.pega.com/support-doc/pega-security-advisory-c22-vulnerability-%E2%80%93-hotfix-matrix-0"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pega.com",
              "ID": "CVE-2022-24083",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pega Infinity",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "7.3.1"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.7.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pegasystems"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Lewis Churchill and Daniel Wiseman, from Commonwealth Bank of Australia"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Password authentication bypass vulnerability for local accounts can be used to bypass local authentication checks."
                }
              ]
            },
            "impact": {
              "cvssv3": {
                "BM": {
                  "A": "H",
                  "AC": "L",
                  "AV": "N",
                  "C": "H",
                  "I": "H",
                  "PR": "N",
                  "S": "U",
                  "UI": "N"
                }
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-285: Improper Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.pega.com/support-doc/pega-security-advisory-c22-vulnerability-%E2%80%93-hotfix-matrix-0",
                  "refsource": "MISC",
                  "url": "https://support.pega.com/support-doc/pega-security-advisory-c22-vulnerability-%E2%80%93-hotfix-matrix-0"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2022-24083",
        "datePublished": "2022-07-25T16:07:16.000Z",
        "dateReserved": "2022-01-27T00:00:00.000Z",
        "dateUpdated": "2024-08-03T03:59:23.635Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-24082 (GCVE-0-2022-24082)

    Vulnerability from cvelistv5 – Published: 2022-07-19 00:00 – Updated: 2024-08-03 03:59
    VLAI
    Summary
    If an on-premise installation of the Pega Platform is configured with the port for the JMX interface exposed to the Internet and port filtering is not properly configured, then it may be possible to upload serialized payloads to attack the underlying system. This does not affect systems running on PegaCloud due to its design and architecture.
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.1.0 , < unspecified (custom)
    Affected: unspecified , < 8.7.3 (custom)
    Create a notification for this product.
    Credits
    Marcin Wolak, Rabobank Red Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:59:23.700Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://support.pega.com/support-doc/pega-security-advisory-b22-vulnerability-%E2%80%93-hotfix-matrix-0"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/169480/Pega-Platform-8.7.3-Remote-Code-Execution.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.7.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Marcin Wolak, Rabobank Red Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "If an on-premise installation of the Pega Platform is configured with the port for the JMX interface exposed to the Internet and port filtering is not properly configured, then it may be possible to upload serialized payloads to attack the underlying system. This does not affect systems running on PegaCloud due to its design and architecture."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-10-24T00:00:00.000Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "url": "https://support.pega.com/support-doc/pega-security-advisory-b22-vulnerability-%E2%80%93-hotfix-matrix-0"
            },
            {
              "url": "http://packetstormsecurity.com/files/169480/Pega-Platform-8.7.3-Remote-Code-Execution.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2022-24082",
        "datePublished": "2022-07-19T00:00:00.000Z",
        "dateReserved": "2022-01-27T00:00:00.000Z",
        "dateUpdated": "2024-08-03T03:59:23.700Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-27654 (GCVE-0-2021-27654)

    Vulnerability from cvelistv5 – Published: 2022-01-28 19:09 – Updated: 2024-08-03 21:26
    VLAI
    Summary
    Forgotten password reset functionality for local accounts can be used to bypass local authentication checks.
    CWE
    • CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
    Assigner
    References
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.2.1 , < unspecified (custom)
    Affected: unspecified , < 8.6.1 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T21:26:10.620Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://collaborate.pega.com/discussion/pega-security-advisory-c21"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.2.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.6.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Forgotten password reset functionality for local accounts can be used to bypass local authentication checks."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "exploitCodeMaturity": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "remediationLevel": "OFFICIAL_FIX",
                "reportConfidence": "CONFIRMED",
                "scope": "UNCHANGED",
                "temporalScore": 8.4,
                "temporalSeverity": "HIGH",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-640",
                  "description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-28T19:09:31.000Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://collaborate.pega.com/discussion/pega-security-advisory-c21"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pega.com",
              "ID": "CVE-2021-27654",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pega Infinity",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.2.1"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.6.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pegasystems"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Forgotten password reset functionality for local accounts can be used to bypass local authentication checks."
                }
              ]
            },
            "impact": {
              "cvssv3": {
                "BM": {
                  "A": "H",
                  "AC": "L",
                  "AV": "N",
                  "C": "H",
                  "I": "H",
                  "PR": "N",
                  "S": "U",
                  "UI": "R"
                },
                "EM": {
                  "AR": "H",
                  "CR": "H",
                  "IR": "H",
                  "MA": "H",
                  "MAC": "L",
                  "MAV": "N",
                  "MC": "H",
                  "MI": "H",
                  "MPR": "N",
                  "MS": "U",
                  "MUI": "R"
                },
                "TM": {
                  "E": "H",
                  "RC": "C",
                  "RL": "O"
                }
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://collaborate.pega.com/discussion/pega-security-advisory-c21",
                  "refsource": "MISC",
                  "url": "https://collaborate.pega.com/discussion/pega-security-advisory-c21"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2021-27654",
        "datePublished": "2022-01-28T19:09:31.000Z",
        "dateReserved": "2021-02-24T00:00:00.000Z",
        "dateUpdated": "2024-08-03T21:26:10.620Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-27651 (GCVE-0-2021-27651)

    Vulnerability from cvelistv5 – Published: 2021-04-29 14:47 – Updated: 2024-08-03 21:26
    VLAI
    Summary
    In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    Pegasystems Pega Infinity Affected: 8.2.1 , < unspecified (custom)
    Affected: unspecified , < 8.5.2 (custom)
    Create a notification for this product.
    Credits
    Samuel Curry (@samwcyo), Brett Buerhaus (@bbuerhaus), Maik Robert (@xEHLE_), Justin Rhinehart (@sshell_)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T21:26:10.645Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://collaborate.pega.com/discussion/pega-security-advisory-a21-hotfix-matrix"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pega Infinity",
              "vendor": "Pegasystems",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.2.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.5.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Samuel Curry (@samwcyo), Brett Buerhaus (@bbuerhaus), Maik Robert (@xEHLE_), Justin Rhinehart (@sshell_)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "exploitCodeMaturity": "FUNCTIONAL",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "remediationLevel": "OFFICIAL_FIX",
                "reportConfidence": "CONFIRMED",
                "scope": "UNCHANGED",
                "temporalScore": 9.1,
                "temporalSeverity": "CRITICAL",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-29T14:47:20.000Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://collaborate.pega.com/discussion/pega-security-advisory-a21-hotfix-matrix"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pega.com",
              "ID": "CVE-2021-27651",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pega Infinity",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.2.1"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pegasystems"
                  }
                ]
              }
            },
            "credit": "Samuel Curry (@samwcyo), Brett Buerhaus (@bbuerhaus), Maik Robert (@xEHLE_), Justin Rhinehart (@sshell_)",
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks."
                }
              ]
            },
            "impact": {
              "cvssv3": {
                "BM": {
                  "A": "H",
                  "AC": "L",
                  "AV": "N",
                  "C": "H",
                  "I": "H",
                  "PR": "N",
                  "S": "U",
                  "UI": "N"
                },
                "EM": {
                  "AR": "H",
                  "CR": "H",
                  "IR": "H",
                  "MA": "L",
                  "MAC": "L",
                  "MAV": "N",
                  "MC": "L",
                  "MI": "L",
                  "MPR": "N",
                  "MS": "U",
                  "MUI": "R"
                },
                "TM": {
                  "E": "F",
                  "RC": "C",
                  "RL": "O"
                }
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-287: Improper Authentication"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://collaborate.pega.com/discussion/pega-security-advisory-a21-hotfix-matrix",
                  "refsource": "CONFIRM",
                  "url": "https://collaborate.pega.com/discussion/pega-security-advisory-a21-hotfix-matrix"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2021-27651",
        "datePublished": "2021-04-29T14:47:20.000Z",
        "dateReserved": "2021-02-24T00:00:00.000Z",
        "dateUpdated": "2024-08-03T21:26:10.645Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-27653 (GCVE-0-2021-27653)

    Vulnerability from cvelistv5 – Published: 2021-04-01 18:38 – Updated: 2024-09-16 23:11
    VLAI
    Summary
    Misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 - 8.5.x could lead to unintended data exposure.
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    Pega Systems Pega Infinity Affected: >=7.4.0, <8.5.3
    Create a notification for this product.
    Date Public
    2021-03-30 00:00
    Credits
    Sakura Samurai Robert Willis, Aubrey Cottle, Jackson Henry, and John Jackson, Collaborator Break3r
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T21:26:10.698Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://collaborate.pega.com/discussion/pega-security-advisory-%E2%80%93-b21"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://robertwillishacking.com/census-vulnerability-exposes-10k-oauth-tokens-thousands-of-user-records/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Pega Infinity",
              "vendor": "Pega Systems",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e=7.4.0, \u003c8.5.3"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Sakura Samurai Robert Willis, Aubrey Cottle, Jackson Henry, and John Jackson,  Collaborator Break3r"
            }
          ],
          "datePublic": "2021-03-30T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 - 8.5.x could lead to unintended data exposure."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-03-12T16:02:55.000Z",
            "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
            "shortName": "Pega"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://collaborate.pega.com/discussion/pega-security-advisory-%E2%80%93-b21"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://robertwillishacking.com/census-vulnerability-exposes-10k-oauth-tokens-thousands-of-user-records/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pega.com",
              "DATE_PUBLIC": "2021-03-30T16:45:00.000Z",
              "ID": "CVE-2021-27653",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Pega Infinity",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003e=7.4.0, \u003c8.5.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pega Systems"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Sakura Samurai Robert Willis, Aubrey Cottle, Jackson Henry, and John Jackson,  Collaborator Break3r"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 - 8.5.x could lead to unintended data exposure."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-284 Improper Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://collaborate.pega.com/discussion/pega-security-advisory-%E2%80%93-b21",
                  "refsource": "MISC",
                  "url": "https://collaborate.pega.com/discussion/pega-security-advisory-%E2%80%93-b21"
                },
                {
                  "name": "https://robertwillishacking.com/census-vulnerability-exposes-10k-oauth-tokens-thousands-of-user-records/",
                  "refsource": "MISC",
                  "url": "https://robertwillishacking.com/census-vulnerability-exposes-10k-oauth-tokens-thousands-of-user-records/"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "assignerShortName": "Pega",
        "cveId": "CVE-2021-27653",
        "datePublished": "2021-04-01T18:38:57.721Z",
        "dateReserved": "2021-02-24T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:11:02.611Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }