Vulnerabilites related to Pegasystems - Pega Platform
CVE-2023-28094 (GCVE-0-2023-28094)
Vulnerability from cvelistv5
Published
2023-06-22 00:00
Modified
2024-12-06 21:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1393 - Use of Default Password
Summary
Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prior to 8.x may be utilizing default credentials.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Platform |
Version: 7.4 < unspecified Version: unspecified < 8.8.* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:30:24.140Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-c23-vulnerability-default-operators?"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28094",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T21:20:34.551749Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T21:20:43.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Platform",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.4",
"versionType": "custom"
},
{
"lessThan": "8.8.*",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Mohamad Shokor"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prior to 8.x may be utilizing default credentials."
}
],
"value": "Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prior to 8.x may be utilizing default credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1393",
"description": "CWE-1393: Use of Default Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-05T07:26:35.937Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-c23-vulnerability-default-operators?"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-28094",
"datePublished": "2023-06-22T00:00:00",
"dateReserved": "2023-03-10T00:00:00",
"dateUpdated": "2024-12-06T21:20:43.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50167 (GCVE-0-2023-50167)
Vulnerability from cvelistv5
Published
2024-03-06 17:15
Modified
2024-08-02 22:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Pega Platform from 7.1.7 to 23.1.1 is affected by an XSS issue with editing/rendering user html content.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Platform |
Version: 7.1.7 < 23.1.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50167",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-07T20:08:26.907065Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:17:52.331Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:09:49.662Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-i23-vulnerability-remediation-note"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Platform",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "23.1.2",
"status": "affected",
"version": "7.1.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Tomasz Stachowicz"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pega Platform from 7.1.7 to 23.1.1 is affected by an XSS issue with editing/rendering user html content."
}
],
"value": "Pega Platform from 7.1.7 to 23.1.1 is affected by an XSS issue with editing/rendering user html content."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-06T17:15:08.248Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-i23-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-50167",
"datePublished": "2024-03-06T17:15:08.248Z",
"dateReserved": "2023-12-04T13:30:07.891Z",
"dateUpdated": "2024-08-02T22:09:49.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50168 (GCVE-0-2023-50168)
Vulnerability from cvelistv5
Published
2024-03-14 15:40
Modified
2024-08-02 22:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Summary
Pega Platform from 6.x to 8.8.4 is affected by an XXE issue with PDF Generation.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Platform |
Version: 6.x < 8.8.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50168",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-15T16:32:16.956064Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:17:50.046Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:09:49.636Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-a24-vulnerability-remediation-note"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Platform",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "8.8.5",
"status": "affected",
"version": "6.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Tomasz Stachowicz"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pega Platform from 6.x to 8.8.4 is affected by an XXE issue with PDF Generation."
}
],
"value": "Pega Platform from 6.x to 8.8.4 is affected by an XXE issue with PDF Generation."
}
],
"impacts": [
{
"capecId": "CAPEC-250",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-250 XML Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-14T15:40:23.961Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-a24-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-50168",
"datePublished": "2024-03-14T15:40:23.961Z",
"dateReserved": "2023-12-04T13:30:07.891Z",
"dateUpdated": "2024-08-02T22:09:49.636Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32089 (GCVE-0-2023-32089)
Vulnerability from cvelistv5
Published
2023-10-18 11:45
Modified
2024-09-12 18:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Pega Platform versions 8.1 to 8.8.2 are affected by an XSS issue with Pin description
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Platform |
Version: 8.1 < 8.8.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:03:29.153Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-e23-vulnerability-remediation-note"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32089",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T18:39:47.609820Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T18:53:11.397Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Platform",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "8.8.3",
"status": "affected",
"version": "8.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Reuben Seymour, Amber Hamlet and Skyler Knecht from the Adversarial Security Practice at Navy Federal Credit Union"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to 8.8.2 are affected by an XSS issue with Pin description\u003c/div\u003e\u003c/div\u003e\n\n"
}
],
"value": "\nPega Platform versions 8.1 to 8.8.2 are affected by an XSS issue with Pin description\n\n\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-18T11:45:16.300Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-e23-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-32089",
"datePublished": "2023-10-18T11:45:16.300Z",
"dateReserved": "2023-05-01T21:15:33.974Z",
"dateUpdated": "2024-09-12T18:53:11.397Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50165 (GCVE-0-2023-50165)
Vulnerability from cvelistv5
Published
2024-01-31 17:21
Modified
2024-10-17 17:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
Pega Platform versions 8.2.1 to Infinity 23.1.0 are affected by an Generated PDF issue that could expose file contents.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Platform |
Version: 8.2.1 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:09:49.699Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-g23-vulnerability-remediation-note"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50165",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T17:46:47.829016Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T17:47:07.748Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Platform",
"vendor": "Pegasystems",
"versions": [
{
"lessThanOrEqual": "23.1.0",
"status": "affected",
"version": "8.2.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Tomasz Stachowicz"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pega Platform versions 8.2.1 to Infinity 23.1.0 are affected by an Generated PDF issue that could expose file contents."
}
],
"value": "Pega Platform versions 8.2.1 to Infinity 23.1.0 are affected by an Generated PDF issue that could expose file contents."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-31T17:21:04.235Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-g23-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-50165",
"datePublished": "2024-01-31T17:21:04.235Z",
"dateReserved": "2023-12-04T13:30:07.890Z",
"dateUpdated": "2024-10-17T17:47:07.748Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32088 (GCVE-0-2023-32088)
Vulnerability from cvelistv5
Published
2023-10-18 11:42
Modified
2024-09-12 18:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Pega Platform versions 8.1 to Infinity 23.1.0 are affected by an XSS issue with ad-hoc case creation
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Platform |
Version: 8.1 < 23.1.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:03:28.972Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-e23-vulnerability-remediation-note"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32088",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T18:40:05.099947Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T18:53:27.322Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Platform",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "23.1.1",
"status": "affected",
"version": "8.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Reuben Seymour, Amber Hamlet and Skyler Knecht from the Adversarial Security Practice at Navy Federal Credit Union"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 23.1.0 are affected by an XSS issue with ad-hoc case creation\u003c/div\u003e\u003c/div\u003e\n\n"
}
],
"value": "\nPega Platform versions 8.1 to Infinity 23.1.0 are affected by an XSS issue with ad-hoc case creation\n\n\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-18T11:42:31.137Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-e23-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-32088",
"datePublished": "2023-10-18T11:42:31.137Z",
"dateReserved": "2023-05-01T21:15:33.974Z",
"dateUpdated": "2024-09-12T18:53:27.322Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32087 (GCVE-0-2023-32087)
Vulnerability from cvelistv5
Published
2023-10-18 11:39
Modified
2024-09-12 18:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Pega Platform versions 8.1 to Infinity 23.1.0 are affected by an XSS issue with task creation
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Platform |
Version: 8.1 < 23.1.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:03:28.928Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-e23-vulnerability-remediation-note"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32087",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T18:40:10.629128Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T18:53:40.145Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Platform",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "23.1.1",
"status": "affected",
"version": "8.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Reuben Seymour, Amber Hamlet and Skyler Knecht from the Adversarial Security Practice at Navy Federal Credit Union"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 23.1.0 are affected by an XSS issue with task creation\u003c/div\u003e\u003c/div\u003e\n\n"
}
],
"value": "\nPega Platform versions 8.1 to Infinity 23.1.0 are affected by an XSS issue with task creation\n\n\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-18T11:39:51.648Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-e23-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-32087",
"datePublished": "2023-10-18T11:39:51.648Z",
"dateReserved": "2023-05-01T21:15:33.974Z",
"dateUpdated": "2024-09-12T18:53:40.145Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32090 (GCVE-0-2023-32090)
Vulnerability from cvelistv5
Published
2023-08-07 11:53
Modified
2024-10-09 18:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1393 - Use of Default Password
Summary
Pega platform clients who are using versions 6.1 through 7.3.1 may be
utilizing default credentials
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Platform |
Version: 6.1 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:03:28.943Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-c23-vulnerability-default-operators"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pegasystems:pega_platform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pega_platform",
"vendor": "pegasystems",
"versions": [
{
"lessThanOrEqual": "7.3.1",
"status": "affected",
"version": "6.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32090",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-09T17:55:40.791064Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-09T18:13:45.110Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Platform",
"vendor": "Pegasystems",
"versions": [
{
"lessThanOrEqual": "7.3.1",
"status": "affected",
"version": "6.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Mohamad Shokor"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pega platform clients who are using versions 6.1 through 7.3.1 may be\nutilizing default credentials\n\n\n\n"
}
],
"value": "Pega platform clients who are using versions 6.1 through 7.3.1 may be\nutilizing default credentials\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-70",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-70 Try Common or Default Usernames and Passwords"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1393",
"description": "CWE-1393 Use of Default Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-07T11:53:48.738Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-c23-vulnerability-default-operators"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-32090",
"datePublished": "2023-08-07T11:53:48.738Z",
"dateReserved": "2023-05-01T21:15:33.974Z",
"dateUpdated": "2024-10-09T18:13:45.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4843 (GCVE-0-2023-4843)
Vulnerability from cvelistv5
Published
2023-09-08 16:06
Modified
2024-09-25 20:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Summary
Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Platform |
Version: 7.1 < 8.8.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:38:00.850Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-d23-vulnerability-remediation-note?"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4843",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T16:23:47.988448Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T20:06:07.459Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Platform",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "8.8.4",
"status": "affected",
"version": "7.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Iulian Florea"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user."
}
],
"value": "Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user."
}
],
"impacts": [
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-08T16:06:44.528Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-d23-vulnerability-remediation-note?"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-4843",
"datePublished": "2023-09-08T16:06:44.528Z",
"dateReserved": "2023-09-08T15:15:45.371Z",
"dateUpdated": "2024-09-25T20:06:07.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50166 (GCVE-0-2023-50166)
Vulnerability from cvelistv5
Published
2024-01-31 17:26
Modified
2025-06-11 17:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Pega Platform from 8.5.4 to 8.8.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Platform |
Version: 8.5.4 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:09:49.813Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-h23-vulnerability-remediation-note"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50166",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-11T17:41:20.401700Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-11T17:50:06.873Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Platform",
"vendor": "Pegasystems",
"versions": [
{
"lessThanOrEqual": "8.8.3",
"status": "affected",
"version": "8.5.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Tomasz Stachowicz"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pega Platform from 8.5.4 to 8.8.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter."
}
],
"value": "Pega Platform from 8.5.4 to 8.8.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-31T17:26:42.731Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-h23-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-50166",
"datePublished": "2024-01-31T17:26:42.731Z",
"dateReserved": "2023-12-04T13:30:07.891Z",
"dateUpdated": "2025-06-11T17:50:06.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}