Search criteria
48 vulnerabilities found for pega_platform by pega
CVE-2025-9559 (GCVE-0-2025-9559)
Vulnerability from nvd – Published: 2025-10-16 15:28 – Updated: 2025-10-16 18:13
VLAI?
Title
Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data
Summary
Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data.
Severity ?
6.5 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.7.5 , < Infinity 24.2.3
(custom)
|
Credits
Eric Kahlert from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9559",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T18:13:10.483009Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T18:13:47.670Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "Infinity 24.2.3",
"status": "affected",
"version": "8.7.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Eric Kahlert from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/)"
}
],
"datePublic": "2025-10-16T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T15:28:18.504Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-h25-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2025-9559",
"datePublished": "2025-10-16T15:28:18.504Z",
"dateReserved": "2025-08-27T20:01:46.786Z",
"dateUpdated": "2025-10-16T18:13:47.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8681 (GCVE-0-2025-8681)
Vulnerability from nvd – Published: 2025-09-10 16:00 – Updated: 2025-09-11 14:42
VLAI?
Title
Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component
Summary
Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. Requires a high privileged user with a developer role.
Severity ?
5.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
7.1.0 , < Infinity 24.2.3
(custom)
|
Credits
Louis Sohier of ENGIE IT Offensive Cybersecurity Team
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8681",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T14:27:19.118508Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:42:58.353Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "Infinity 24.2.3",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Louis Sohier of ENGIE IT Offensive Cybersecurity Team"
}
],
"datePublic": "2025-09-10T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. \u0026nbsp;Requires a high privileged user with a developer role.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. \u00a0Requires a high privileged user with a developer role."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T16:00:15.062Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-g25-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2025-8681",
"datePublished": "2025-09-10T16:00:15.062Z",
"dateReserved": "2025-08-06T19:51:28.073Z",
"dateUpdated": "2025-09-11T14:42:58.353Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2161 (GCVE-0-2025-2161)
Vulnerability from nvd – Published: 2025-04-14 14:19 – Updated: 2025-04-14 14:32
VLAI?
Summary
Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup
Severity ?
7.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
7.2.1 , < 24.2.2
(custom)
|
Credits
Kacper Paluch
Maciej Włodarczyk
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2161",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T14:32:26.201504Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T14:32:37.786Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "24.2.2",
"status": "affected",
"version": "7.2.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Kacper Paluch"
},
{
"lang": "en",
"type": "reporter",
"value": "Maciej W\u0142odarczyk"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T14:19:37.824Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d25-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2025-2161",
"datePublished": "2025-04-14T14:19:37.824Z",
"dateReserved": "2025-03-10T13:29:54.031Z",
"dateUpdated": "2025-04-14T14:32:37.786Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2160 (GCVE-0-2025-2160)
Vulnerability from nvd – Published: 2025-04-14 14:16 – Updated: 2025-04-14 14:32
VLAI?
Summary
Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup
Severity ?
8.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.4.3 , < 24.2.2
(custom)
|
Credits
Kacper Paluch
Maciej Włodarczyk
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2160",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T14:31:54.490718Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T14:32:12.589Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "24.2.2",
"status": "affected",
"version": "8.4.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Kacper Paluch"
},
{
"lang": "en",
"type": "reporter",
"value": "Maciej W\u0142odarczyk"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T14:16:34.517Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d25-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2025-2160",
"datePublished": "2025-04-14T14:16:34.517Z",
"dateReserved": "2025-03-10T13:29:52.653Z",
"dateUpdated": "2025-04-14T14:32:12.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12211 (GCVE-0-2024-12211)
Vulnerability from nvd – Published: 2025-01-13 16:14 – Updated: 2025-08-26 19:58
VLAI?
Summary
Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.1 , < 24.2.1
(custom)
|
Credits
Jordan Lyons
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-12211",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-13T17:23:40.336491Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T19:58:08.100Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "24.2.1",
"status": "affected",
"version": "8.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Jordan Lyons"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T16:14:59.224Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-f24-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2024-12211",
"datePublished": "2025-01-13T16:14:59.224Z",
"dateReserved": "2024-12-04T20:50:58.613Z",
"dateUpdated": "2025-08-26T19:58:08.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50168 (GCVE-0-2023-50168)
Vulnerability from nvd – Published: 2024-03-14 15:40 – Updated: 2024-08-02 22:09
VLAI?
Summary
Pega Platform from 6.x to 8.8.4 is affected by an XXE issue with PDF Generation.
Severity ?
7.7 (High)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Platform |
Affected:
6.x , < 8.8.5
(custom)
|
Credits
Tomasz Stachowicz
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50168",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-15T16:32:16.956064Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:17:50.046Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:09:49.636Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-a24-vulnerability-remediation-note"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Platform",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "8.8.5",
"status": "affected",
"version": "6.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Tomasz Stachowicz"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pega Platform from 6.x to 8.8.4 is affected by an XXE issue with PDF Generation."
}
],
"value": "Pega Platform from 6.x to 8.8.4 is affected by an XXE issue with PDF Generation."
}
],
"impacts": [
{
"capecId": "CAPEC-250",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-250 XML Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-14T15:40:23.961Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-a24-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-50168",
"datePublished": "2024-03-14T15:40:23.961Z",
"dateReserved": "2023-12-04T13:30:07.891Z",
"dateUpdated": "2024-08-02T22:09:49.636Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50167 (GCVE-0-2023-50167)
Vulnerability from nvd – Published: 2024-03-06 17:15 – Updated: 2024-08-02 22:09
VLAI?
Summary
Pega Platform from 7.1.7 to 23.1.1 is affected by an XSS issue with editing/rendering user html content.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Platform |
Affected:
7.1.7 , < 23.1.2
(custom)
|
Credits
Tomasz Stachowicz
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50167",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-07T20:08:26.907065Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:17:52.331Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:09:49.662Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-i23-vulnerability-remediation-note"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Platform",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "23.1.2",
"status": "affected",
"version": "7.1.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Tomasz Stachowicz"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pega Platform from 7.1.7 to 23.1.1 is affected by an XSS issue with editing/rendering user html content."
}
],
"value": "Pega Platform from 7.1.7 to 23.1.1 is affected by an XSS issue with editing/rendering user html content."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-06T17:15:08.248Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-i23-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-50167",
"datePublished": "2024-03-06T17:15:08.248Z",
"dateReserved": "2023-12-04T13:30:07.891Z",
"dateUpdated": "2024-08-02T22:09:49.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4843 (GCVE-0-2023-4843)
Vulnerability from nvd – Published: 2023-09-08 16:06 – Updated: 2024-09-25 20:06
VLAI?
Summary
Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user.
Severity ?
4.3 (Medium)
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Platform |
Affected:
7.1 , < 8.8.4
(custom)
|
Credits
Iulian Florea
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:38:00.850Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-d23-vulnerability-remediation-note?"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4843",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T16:23:47.988448Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T20:06:07.459Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Platform",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "8.8.4",
"status": "affected",
"version": "7.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Iulian Florea"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user."
}
],
"value": "Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user."
}
],
"impacts": [
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-08T16:06:44.528Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-d23-vulnerability-remediation-note?"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-4843",
"datePublished": "2023-09-08T16:06:44.528Z",
"dateReserved": "2023-09-08T15:15:45.371Z",
"dateUpdated": "2024-09-25T20:06:07.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32090 (GCVE-0-2023-32090)
Vulnerability from nvd – Published: 2023-08-07 11:53 – Updated: 2024-10-09 18:13
VLAI?
Summary
Pega platform clients who are using versions 6.1 through 7.3.1 may be
utilizing default credentials
Severity ?
9.8 (Critical)
CWE
- CWE-1393 - Use of Default Password
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Platform |
Affected:
6.1 , ≤ 7.3.1
(custom)
|
Credits
Mohamad Shokor
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:03:28.943Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-c23-vulnerability-default-operators"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pegasystems:pega_platform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pega_platform",
"vendor": "pegasystems",
"versions": [
{
"lessThanOrEqual": "7.3.1",
"status": "affected",
"version": "6.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32090",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-09T17:55:40.791064Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-09T18:13:45.110Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Platform",
"vendor": "Pegasystems",
"versions": [
{
"lessThanOrEqual": "7.3.1",
"status": "affected",
"version": "6.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Mohamad Shokor"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pega platform clients who are using versions 6.1 through 7.3.1 may be\nutilizing default credentials\n\n\n\n"
}
],
"value": "Pega platform clients who are using versions 6.1 through 7.3.1 may be\nutilizing default credentials\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-70",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-70 Try Common or Default Usernames and Passwords"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1393",
"description": "CWE-1393 Use of Default Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-07T11:53:48.738Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-c23-vulnerability-default-operators"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-32090",
"datePublished": "2023-08-07T11:53:48.738Z",
"dateReserved": "2023-05-01T21:15:33.974Z",
"dateUpdated": "2024-10-09T18:13:45.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28094 (GCVE-0-2023-28094)
Vulnerability from nvd – Published: 2023-06-22 00:00 – Updated: 2024-12-06 21:20
VLAI?
Summary
Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prior to 8.x may be utilizing default credentials.
Severity ?
8.1 (High)
CWE
- CWE-1393 - Use of Default Password
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Platform |
Affected:
7.4 , < unspecified
(custom)
Affected: unspecified , < 8.8.* (custom) |
Credits
Mohamad Shokor
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:30:24.140Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-c23-vulnerability-default-operators?"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28094",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T21:20:34.551749Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T21:20:43.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Platform",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.4",
"versionType": "custom"
},
{
"lessThan": "8.8.*",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Mohamad Shokor"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prior to 8.x may be utilizing default credentials."
}
],
"value": "Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prior to 8.x may be utilizing default credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1393",
"description": "CWE-1393: Use of Default Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-05T07:26:35.937Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-c23-vulnerability-default-operators?"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-28094",
"datePublished": "2023-06-22T00:00:00",
"dateReserved": "2023-03-10T00:00:00",
"dateUpdated": "2024-12-06T21:20:43.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26465 (GCVE-0-2023-26465)
Vulnerability from nvd – Published: 2023-06-09 00:00 – Updated: 2025-01-06 19:24
VLAI?
Summary
Pega Platform versions 7.2 to 8.8.1 are affected by an XSS issue.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
7.2 , < unspecified
(custom)
Affected: unspecified , < 8.8.2 (custom) |
Credits
Maciej Piechota
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:53:54.564Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-a23-vulnerability-remediation-note"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26465",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T19:24:32.307051Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T19:24:44.238Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.2",
"versionType": "custom"
},
{
"lessThan": "8.8.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Maciej Piechota"
}
],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform versions 7.2 to 8.8.1 are affected by an XSS issue."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-09T00:00:00",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-a23-vulnerability-remediation-note"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-26465",
"datePublished": "2023-06-09T00:00:00",
"dateReserved": "2023-02-23T00:00:00",
"dateUpdated": "2025-01-06T19:24:44.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35656 (GCVE-0-2022-35656)
Vulnerability from nvd – Published: 2022-08-22 14:47 – Updated: 2024-08-03 09:36
VLAI?
Summary
Pega Platform from 8.3 to 8.7.3 vulnerability may allow authenticated security administrators to alter CSRF settings directly.
Severity ?
6.8 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.3 , < unspecified
(custom)
Affected: unspecified , < 8.7.3 (custom) |
Credits
Kane Gamble from Blackfoot UK
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:36:44.428Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.3",
"versionType": "custom"
},
{
"lessThan": "8.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kane Gamble from Blackfoot UK"
}
],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform from 8.3 to 8.7.3 vulnerability may allow authenticated security administrators to alter CSRF settings directly."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-23T15:44:49",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pega.com",
"ID": "CVE-2022-35656",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pega Infinity",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "8.3"
},
{
"version_affected": "\u003c",
"version_value": "8.7.3"
}
]
}
}
]
},
"vendor_name": "Pegasystems"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kane Gamble from Blackfoot UK"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pega Platform from 8.3 to 8.7.3 vulnerability may allow authenticated security administrators to alter CSRF settings directly."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "H",
"AC": "L",
"AV": "N",
"C": "H",
"I": "H",
"PR": "H",
"S": "U",
"UI": "R"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352: Cross-Site Request Forgery"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix",
"refsource": "MISC",
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2022-35656",
"datePublished": "2022-08-22T14:47:57",
"dateReserved": "2022-07-12T00:00:00",
"dateUpdated": "2024-08-03T09:36:44.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35655 (GCVE-0-2022-35655)
Vulnerability from nvd – Published: 2022-08-22 14:47 – Updated: 2024-08-03 09:36
VLAI?
Summary
Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Cross-Site Scripting
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
7.3 , < unspecified
(custom)
Affected: unspecified , < 8.7.3 (custom) |
Credits
Kane Gamble from Blackfoot UK
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:36:44.449Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.3",
"versionType": "custom"
},
{
"lessThan": "8.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kane Gamble from Blackfoot UK"
}
],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Cross-Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-23T15:44:33",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pega.com",
"ID": "CVE-2022-35655",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pega Infinity",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "7.3"
},
{
"version_affected": "\u003c",
"version_value": "8.7.3"
}
]
}
}
]
},
"vendor_name": "Pegasystems"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kane Gamble from Blackfoot UK"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "N",
"AC": "L",
"AV": "N",
"C": "L",
"I": "L",
"PR": "N",
"S": "C",
"UI": "R"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix",
"refsource": "MISC",
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2022-35655",
"datePublished": "2022-08-22T14:47:36",
"dateReserved": "2022-07-12T00:00:00",
"dateUpdated": "2024-08-03T09:36:44.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35654 (GCVE-0-2022-35654)
Vulnerability from nvd – Published: 2022-08-22 14:46 – Updated: 2024-08-03 09:36
VLAI?
Summary
Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Cross-Site Scripting
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.5.4 , < unspecified
(custom)
Affected: unspecified , < 8.7.3 (custom) |
Credits
Kane Gamble from Blackfoot UK
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:36:44.414Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.5.4",
"versionType": "custom"
},
{
"lessThan": "8.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kane Gamble from Blackfoot UK"
}
],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Cross-Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-23T15:45:07",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pega.com",
"ID": "CVE-2022-35654",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pega Infinity",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "8.5.4"
},
{
"version_affected": "\u003c",
"version_value": "8.7.3"
}
]
}
}
]
},
"vendor_name": "Pegasystems"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kane Gamble from Blackfoot UK"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "N",
"AC": "L",
"AV": "N",
"C": "L",
"I": "L",
"PR": "N",
"S": "C",
"UI": "R"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix",
"refsource": "MISC",
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2022-35654",
"datePublished": "2022-08-22T14:46:53",
"dateReserved": "2022-07-12T00:00:00",
"dateUpdated": "2024-08-03T09:36:44.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15390 (GCVE-0-2020-15390)
Vulnerability from nvd – Published: 2021-04-12 18:18 – Updated: 2024-08-04 13:15
VLAI?
Summary
pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper access control vulnerability via =GetWebInfo.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:15:20.546Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jayaramyalla.medium.com/sensitive-information-disclosure-due-to-improper-access-control-cve-2020-15390-124573c15824"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper access control vulnerability via =GetWebInfo."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-12T18:18:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jayaramyalla.medium.com/sensitive-information-disclosure-due-to-improper-access-control-cve-2020-15390-124573c15824"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15390",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper access control vulnerability via =GetWebInfo."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jayaramyalla.medium.com/sensitive-information-disclosure-due-to-improper-access-control-cve-2020-15390-124573c15824",
"refsource": "MISC",
"url": "https://jayaramyalla.medium.com/sensitive-information-disclosure-due-to-improper-access-control-cve-2020-15390-124573c15824"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15390",
"datePublished": "2021-04-12T18:18:20",
"dateReserved": "2020-06-29T00:00:00",
"dateUpdated": "2024-08-04T13:15:20.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9559 (GCVE-0-2025-9559)
Vulnerability from cvelistv5 – Published: 2025-10-16 15:28 – Updated: 2025-10-16 18:13
VLAI?
Title
Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data
Summary
Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data.
Severity ?
6.5 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.7.5 , < Infinity 24.2.3
(custom)
|
Credits
Eric Kahlert from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9559",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T18:13:10.483009Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T18:13:47.670Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "Infinity 24.2.3",
"status": "affected",
"version": "8.7.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Eric Kahlert from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/)"
}
],
"datePublic": "2025-10-16T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T15:28:18.504Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-h25-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2025-9559",
"datePublished": "2025-10-16T15:28:18.504Z",
"dateReserved": "2025-08-27T20:01:46.786Z",
"dateUpdated": "2025-10-16T18:13:47.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8681 (GCVE-0-2025-8681)
Vulnerability from cvelistv5 – Published: 2025-09-10 16:00 – Updated: 2025-09-11 14:42
VLAI?
Title
Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component
Summary
Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. Requires a high privileged user with a developer role.
Severity ?
5.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
7.1.0 , < Infinity 24.2.3
(custom)
|
Credits
Louis Sohier of ENGIE IT Offensive Cybersecurity Team
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8681",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T14:27:19.118508Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:42:58.353Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "Infinity 24.2.3",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Louis Sohier of ENGIE IT Offensive Cybersecurity Team"
}
],
"datePublic": "2025-09-10T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. \u0026nbsp;Requires a high privileged user with a developer role.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. \u00a0Requires a high privileged user with a developer role."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T16:00:15.062Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-g25-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2025-8681",
"datePublished": "2025-09-10T16:00:15.062Z",
"dateReserved": "2025-08-06T19:51:28.073Z",
"dateUpdated": "2025-09-11T14:42:58.353Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2161 (GCVE-0-2025-2161)
Vulnerability from cvelistv5 – Published: 2025-04-14 14:19 – Updated: 2025-04-14 14:32
VLAI?
Summary
Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup
Severity ?
7.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
7.2.1 , < 24.2.2
(custom)
|
Credits
Kacper Paluch
Maciej Włodarczyk
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2161",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T14:32:26.201504Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T14:32:37.786Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "24.2.2",
"status": "affected",
"version": "7.2.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Kacper Paluch"
},
{
"lang": "en",
"type": "reporter",
"value": "Maciej W\u0142odarczyk"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T14:19:37.824Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d25-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2025-2161",
"datePublished": "2025-04-14T14:19:37.824Z",
"dateReserved": "2025-03-10T13:29:54.031Z",
"dateUpdated": "2025-04-14T14:32:37.786Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2160 (GCVE-0-2025-2160)
Vulnerability from cvelistv5 – Published: 2025-04-14 14:16 – Updated: 2025-04-14 14:32
VLAI?
Summary
Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup
Severity ?
8.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.4.3 , < 24.2.2
(custom)
|
Credits
Kacper Paluch
Maciej Włodarczyk
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2160",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T14:31:54.490718Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T14:32:12.589Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "24.2.2",
"status": "affected",
"version": "8.4.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Kacper Paluch"
},
{
"lang": "en",
"type": "reporter",
"value": "Maciej W\u0142odarczyk"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T14:16:34.517Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d25-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2025-2160",
"datePublished": "2025-04-14T14:16:34.517Z",
"dateReserved": "2025-03-10T13:29:52.653Z",
"dateUpdated": "2025-04-14T14:32:12.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12211 (GCVE-0-2024-12211)
Vulnerability from cvelistv5 – Published: 2025-01-13 16:14 – Updated: 2025-08-26 19:58
VLAI?
Summary
Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.1 , < 24.2.1
(custom)
|
Credits
Jordan Lyons
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-12211",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-13T17:23:40.336491Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T19:58:08.100Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "24.2.1",
"status": "affected",
"version": "8.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Jordan Lyons"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T16:14:59.224Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-f24-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2024-12211",
"datePublished": "2025-01-13T16:14:59.224Z",
"dateReserved": "2024-12-04T20:50:58.613Z",
"dateUpdated": "2025-08-26T19:58:08.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50168 (GCVE-0-2023-50168)
Vulnerability from cvelistv5 – Published: 2024-03-14 15:40 – Updated: 2024-08-02 22:09
VLAI?
Summary
Pega Platform from 6.x to 8.8.4 is affected by an XXE issue with PDF Generation.
Severity ?
7.7 (High)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Platform |
Affected:
6.x , < 8.8.5
(custom)
|
Credits
Tomasz Stachowicz
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50168",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-15T16:32:16.956064Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:17:50.046Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:09:49.636Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-a24-vulnerability-remediation-note"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Platform",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "8.8.5",
"status": "affected",
"version": "6.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Tomasz Stachowicz"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pega Platform from 6.x to 8.8.4 is affected by an XXE issue with PDF Generation."
}
],
"value": "Pega Platform from 6.x to 8.8.4 is affected by an XXE issue with PDF Generation."
}
],
"impacts": [
{
"capecId": "CAPEC-250",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-250 XML Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-14T15:40:23.961Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-a24-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-50168",
"datePublished": "2024-03-14T15:40:23.961Z",
"dateReserved": "2023-12-04T13:30:07.891Z",
"dateUpdated": "2024-08-02T22:09:49.636Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50167 (GCVE-0-2023-50167)
Vulnerability from cvelistv5 – Published: 2024-03-06 17:15 – Updated: 2024-08-02 22:09
VLAI?
Summary
Pega Platform from 7.1.7 to 23.1.1 is affected by an XSS issue with editing/rendering user html content.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Platform |
Affected:
7.1.7 , < 23.1.2
(custom)
|
Credits
Tomasz Stachowicz
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50167",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-07T20:08:26.907065Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:17:52.331Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:09:49.662Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-i23-vulnerability-remediation-note"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Platform",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "23.1.2",
"status": "affected",
"version": "7.1.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Tomasz Stachowicz"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pega Platform from 7.1.7 to 23.1.1 is affected by an XSS issue with editing/rendering user html content."
}
],
"value": "Pega Platform from 7.1.7 to 23.1.1 is affected by an XSS issue with editing/rendering user html content."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-06T17:15:08.248Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-i23-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-50167",
"datePublished": "2024-03-06T17:15:08.248Z",
"dateReserved": "2023-12-04T13:30:07.891Z",
"dateUpdated": "2024-08-02T22:09:49.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4843 (GCVE-0-2023-4843)
Vulnerability from cvelistv5 – Published: 2023-09-08 16:06 – Updated: 2024-09-25 20:06
VLAI?
Summary
Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user.
Severity ?
4.3 (Medium)
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Platform |
Affected:
7.1 , < 8.8.4
(custom)
|
Credits
Iulian Florea
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:38:00.850Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-d23-vulnerability-remediation-note?"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4843",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T16:23:47.988448Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T20:06:07.459Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Platform",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "8.8.4",
"status": "affected",
"version": "7.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Iulian Florea"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user."
}
],
"value": "Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user."
}
],
"impacts": [
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-08T16:06:44.528Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-d23-vulnerability-remediation-note?"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-4843",
"datePublished": "2023-09-08T16:06:44.528Z",
"dateReserved": "2023-09-08T15:15:45.371Z",
"dateUpdated": "2024-09-25T20:06:07.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32090 (GCVE-0-2023-32090)
Vulnerability from cvelistv5 – Published: 2023-08-07 11:53 – Updated: 2024-10-09 18:13
VLAI?
Summary
Pega platform clients who are using versions 6.1 through 7.3.1 may be
utilizing default credentials
Severity ?
9.8 (Critical)
CWE
- CWE-1393 - Use of Default Password
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Platform |
Affected:
6.1 , ≤ 7.3.1
(custom)
|
Credits
Mohamad Shokor
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:03:28.943Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-c23-vulnerability-default-operators"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pegasystems:pega_platform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pega_platform",
"vendor": "pegasystems",
"versions": [
{
"lessThanOrEqual": "7.3.1",
"status": "affected",
"version": "6.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32090",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-09T17:55:40.791064Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-09T18:13:45.110Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Platform",
"vendor": "Pegasystems",
"versions": [
{
"lessThanOrEqual": "7.3.1",
"status": "affected",
"version": "6.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Mohamad Shokor"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pega platform clients who are using versions 6.1 through 7.3.1 may be\nutilizing default credentials\n\n\n\n"
}
],
"value": "Pega platform clients who are using versions 6.1 through 7.3.1 may be\nutilizing default credentials\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-70",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-70 Try Common or Default Usernames and Passwords"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1393",
"description": "CWE-1393 Use of Default Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-07T11:53:48.738Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-c23-vulnerability-default-operators"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-32090",
"datePublished": "2023-08-07T11:53:48.738Z",
"dateReserved": "2023-05-01T21:15:33.974Z",
"dateUpdated": "2024-10-09T18:13:45.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28094 (GCVE-0-2023-28094)
Vulnerability from cvelistv5 – Published: 2023-06-22 00:00 – Updated: 2024-12-06 21:20
VLAI?
Summary
Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prior to 8.x may be utilizing default credentials.
Severity ?
8.1 (High)
CWE
- CWE-1393 - Use of Default Password
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Platform |
Affected:
7.4 , < unspecified
(custom)
Affected: unspecified , < 8.8.* (custom) |
Credits
Mohamad Shokor
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:30:24.140Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-c23-vulnerability-default-operators?"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28094",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T21:20:34.551749Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T21:20:43.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Platform",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.4",
"versionType": "custom"
},
{
"lessThan": "8.8.*",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Mohamad Shokor"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prior to 8.x may be utilizing default credentials."
}
],
"value": "Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prior to 8.x may be utilizing default credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1393",
"description": "CWE-1393: Use of Default Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-05T07:26:35.937Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-c23-vulnerability-default-operators?"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-28094",
"datePublished": "2023-06-22T00:00:00",
"dateReserved": "2023-03-10T00:00:00",
"dateUpdated": "2024-12-06T21:20:43.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26465 (GCVE-0-2023-26465)
Vulnerability from cvelistv5 – Published: 2023-06-09 00:00 – Updated: 2025-01-06 19:24
VLAI?
Summary
Pega Platform versions 7.2 to 8.8.1 are affected by an XSS issue.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
7.2 , < unspecified
(custom)
Affected: unspecified , < 8.8.2 (custom) |
Credits
Maciej Piechota
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:53:54.564Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-a23-vulnerability-remediation-note"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26465",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T19:24:32.307051Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T19:24:44.238Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.2",
"versionType": "custom"
},
{
"lessThan": "8.8.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Maciej Piechota"
}
],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform versions 7.2 to 8.8.1 are affected by an XSS issue."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-09T00:00:00",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-a23-vulnerability-remediation-note"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-26465",
"datePublished": "2023-06-09T00:00:00",
"dateReserved": "2023-02-23T00:00:00",
"dateUpdated": "2025-01-06T19:24:44.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35656 (GCVE-0-2022-35656)
Vulnerability from cvelistv5 – Published: 2022-08-22 14:47 – Updated: 2024-08-03 09:36
VLAI?
Summary
Pega Platform from 8.3 to 8.7.3 vulnerability may allow authenticated security administrators to alter CSRF settings directly.
Severity ?
6.8 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.3 , < unspecified
(custom)
Affected: unspecified , < 8.7.3 (custom) |
Credits
Kane Gamble from Blackfoot UK
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:36:44.428Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.3",
"versionType": "custom"
},
{
"lessThan": "8.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kane Gamble from Blackfoot UK"
}
],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform from 8.3 to 8.7.3 vulnerability may allow authenticated security administrators to alter CSRF settings directly."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-23T15:44:49",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pega.com",
"ID": "CVE-2022-35656",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pega Infinity",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "8.3"
},
{
"version_affected": "\u003c",
"version_value": "8.7.3"
}
]
}
}
]
},
"vendor_name": "Pegasystems"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kane Gamble from Blackfoot UK"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pega Platform from 8.3 to 8.7.3 vulnerability may allow authenticated security administrators to alter CSRF settings directly."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "H",
"AC": "L",
"AV": "N",
"C": "H",
"I": "H",
"PR": "H",
"S": "U",
"UI": "R"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352: Cross-Site Request Forgery"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix",
"refsource": "MISC",
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2022-35656",
"datePublished": "2022-08-22T14:47:57",
"dateReserved": "2022-07-12T00:00:00",
"dateUpdated": "2024-08-03T09:36:44.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35655 (GCVE-0-2022-35655)
Vulnerability from cvelistv5 – Published: 2022-08-22 14:47 – Updated: 2024-08-03 09:36
VLAI?
Summary
Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Cross-Site Scripting
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
7.3 , < unspecified
(custom)
Affected: unspecified , < 8.7.3 (custom) |
Credits
Kane Gamble from Blackfoot UK
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:36:44.449Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.3",
"versionType": "custom"
},
{
"lessThan": "8.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kane Gamble from Blackfoot UK"
}
],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Cross-Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-23T15:44:33",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pega.com",
"ID": "CVE-2022-35655",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pega Infinity",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "7.3"
},
{
"version_affected": "\u003c",
"version_value": "8.7.3"
}
]
}
}
]
},
"vendor_name": "Pegasystems"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kane Gamble from Blackfoot UK"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "N",
"AC": "L",
"AV": "N",
"C": "L",
"I": "L",
"PR": "N",
"S": "C",
"UI": "R"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix",
"refsource": "MISC",
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2022-35655",
"datePublished": "2022-08-22T14:47:36",
"dateReserved": "2022-07-12T00:00:00",
"dateUpdated": "2024-08-03T09:36:44.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35654 (GCVE-0-2022-35654)
Vulnerability from cvelistv5 – Published: 2022-08-22 14:46 – Updated: 2024-08-03 09:36
VLAI?
Summary
Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Cross-Site Scripting
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.5.4 , < unspecified
(custom)
Affected: unspecified , < 8.7.3 (custom) |
Credits
Kane Gamble from Blackfoot UK
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:36:44.414Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.5.4",
"versionType": "custom"
},
{
"lessThan": "8.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kane Gamble from Blackfoot UK"
}
],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Cross-Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-23T15:45:07",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pega.com",
"ID": "CVE-2022-35654",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pega Infinity",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "8.5.4"
},
{
"version_affected": "\u003c",
"version_value": "8.7.3"
}
]
}
}
]
},
"vendor_name": "Pegasystems"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kane Gamble from Blackfoot UK"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "N",
"AC": "L",
"AV": "N",
"C": "L",
"I": "L",
"PR": "N",
"S": "C",
"UI": "R"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix",
"refsource": "MISC",
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2022-35654",
"datePublished": "2022-08-22T14:46:53",
"dateReserved": "2022-07-12T00:00:00",
"dateUpdated": "2024-08-03T09:36:44.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15390 (GCVE-0-2020-15390)
Vulnerability from cvelistv5 – Published: 2021-04-12 18:18 – Updated: 2024-08-04 13:15
VLAI?
Summary
pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper access control vulnerability via =GetWebInfo.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:15:20.546Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jayaramyalla.medium.com/sensitive-information-disclosure-due-to-improper-access-control-cve-2020-15390-124573c15824"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper access control vulnerability via =GetWebInfo."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-12T18:18:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jayaramyalla.medium.com/sensitive-information-disclosure-due-to-improper-access-control-cve-2020-15390-124573c15824"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15390",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper access control vulnerability via =GetWebInfo."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jayaramyalla.medium.com/sensitive-information-disclosure-due-to-improper-access-control-cve-2020-15390-124573c15824",
"refsource": "MISC",
"url": "https://jayaramyalla.medium.com/sensitive-information-disclosure-due-to-improper-access-control-cve-2020-15390-124573c15824"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15390",
"datePublished": "2021-04-12T18:18:20",
"dateReserved": "2020-06-29T00:00:00",
"dateUpdated": "2024-08-04T13:15:20.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}