Vulnerabilites related to pega - infinity
Vulnerability from fkie_nvd
Published
2021-04-29 15:15
Modified
2024-11-21 05:58
Severity ?
Summary
In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@pega.com | https://collaborate.pega.com/discussion/pega-security-advisory-a21-hotfix-matrix | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://collaborate.pega.com/discussion/pega-security-advisory-a21-hotfix-matrix | Release Notes, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:infinity:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B759124B-4436-4240-A992-75C9DC181ED2",
"versionEndIncluding": "8.5.2",
"versionStartIncluding": "8.2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks."
},
{
"lang": "es",
"value": "En versiones 8.2.1 hasta 8.5.2 de Pega Infinity, la funcionalidad password reset para cuentas locales puede ser usada para omitir las comprobaciones de autenticaci\u00f3n locales"
}
],
"id": "CVE-2021-27651",
"lastModified": "2024-11-21T05:58:22.783",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security@pega.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-29T15:15:10.917",
"references": [
{
"source": "security@pega.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://collaborate.pega.com/discussion/pega-security-advisory-a21-hotfix-matrix"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://collaborate.pega.com/discussion/pega-security-advisory-a21-hotfix-matrix"
}
],
"sourceIdentifier": "security@pega.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security@pega.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-09-12 15:18
Modified
2024-09-13 16:09
Severity ?
5.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with App name.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@pega.com | https://support.pega.com/support-doc/pega-security-advisory-c24-vulnerability-remediation-note | Permissions Required |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:infinity:*:*:*:*:*:*:*:*",
"matchCriteriaId": "79AAC3AD-80E6-41D7-BE07-A0233AE65396",
"versionEndExcluding": "24.1.3",
"versionStartIncluding": "8.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with App name."
},
{
"lang": "es",
"value": "Las versiones 8.1 a Infinity 24.1.2 de Pega Platform est\u00e1n afectadas por una vulnerabilidad XSS con el atributo App Name."
}
],
"id": "CVE-2024-6700",
"lastModified": "2024-09-13T16:09:28.343",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 4.2,
"source": "security@pega.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-12T15:18:26.757",
"references": [
{
"source": "security@pega.com",
"tags": [
"Permissions Required"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-c24-vulnerability-remediation-note"
}
],
"sourceIdentifier": "security@pega.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@pega.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-01 19:15
Modified
2024-11-21 05:58
Severity ?
6.6 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Summary
Misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 - 8.5.x could lead to unintended data exposure.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:infinity:*:*:*:*:*:*:*:*",
"matchCriteriaId": "131DFBF1-FD9D-4002-A1A8-E76CE5D1529D",
"versionEndExcluding": "8.5.3",
"versionStartIncluding": "7.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 - 8.5.x could lead to unintended data exposure."
},
{
"lang": "es",
"value": "La configuraci\u00f3n incorrecta del portal Pega Chat Access Group en la plataforma Pega versiones 7.4.0 - 8.5.x podr\u00eda conllevar a una exposici\u00f3n de datos no intencionada."
}
],
"id": "CVE-2021-27653",
"lastModified": "2024-11-21T05:58:22.913",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.7,
"impactScore": 5.9,
"source": "security@pega.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-01T19:15:14.077",
"references": [
{
"source": "security@pega.com",
"tags": [
"Vendor Advisory"
],
"url": "https://collaborate.pega.com/discussion/pega-security-advisory-%E2%80%93-b21"
},
{
"source": "security@pega.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://robertwillishacking.com/census-vulnerability-exposes-10k-oauth-tokens-thousands-of-user-records/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://collaborate.pega.com/discussion/pega-security-advisory-%E2%80%93-b21"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://robertwillishacking.com/census-vulnerability-exposes-10k-oauth-tokens-thousands-of-user-records/"
}
],
"sourceIdentifier": "security@pega.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security@pega.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-09-12 15:18
Modified
2024-09-13 16:07
Severity ?
5.2 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@pega.com | https://support.pega.com/support-doc/pega-security-advisory-c24-vulnerability-remediation-note | Permissions Required |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:infinity:*:*:*:*:*:*:*:*",
"matchCriteriaId": "79AAC3AD-80E6-41D7-BE07-A0233AE65396",
"versionEndExcluding": "24.1.3",
"versionStartIncluding": "8.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage."
},
{
"lang": "es",
"value": "Las versiones 8.1 hasta Infinity 24.1.2 de Pega Platform est\u00e1n afectadas por una vulnerabilidad de inyecci\u00f3n HTML con el atributo Stage."
}
],
"id": "CVE-2024-6702",
"lastModified": "2024-09-13T16:07:22.420",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 4.2,
"source": "security@pega.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-12T15:18:27.133",
"references": [
{
"source": "security@pega.com",
"tags": [
"Permissions Required"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-c24-vulnerability-remediation-note"
}
],
"sourceIdentifier": "security@pega.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "security@pega.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-07-25 17:15
Modified
2024-11-21 06:49
Severity ?
Summary
Password authentication bypass vulnerability for local accounts can be used to bypass local authentication checks.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:infinity:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4CA83DF3-BB49-4849-862D-9C6E98481DC8",
"versionEndIncluding": "8.7.2",
"versionStartIncluding": "7.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Password authentication bypass vulnerability for local accounts can be used to bypass local authentication checks."
},
{
"lang": "es",
"value": "Una vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n de contrase\u00f1as para cuentas locales puede ser usada para omitir las comprobaciones de autenticaci\u00f3n local"
}
],
"id": "CVE-2022-24083",
"lastModified": "2024-11-21T06:49:46.813",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security@pega.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-07-25T17:15:08.087",
"references": [
{
"source": "security@pega.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-c22-vulnerability-%E2%80%93-hotfix-matrix-0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-c22-vulnerability-%E2%80%93-hotfix-matrix-0"
}
],
"sourceIdentifier": "security@pega.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security@pega.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-07-19 15:15
Modified
2024-11-21 06:49
Severity ?
Summary
If an on-premise installation of the Pega Platform is configured with the port for the JMX interface exposed to the Internet and port filtering is not properly configured, then it may be possible to upload serialized payloads to attack the underlying system. This does not affect systems running on PegaCloud due to its design and architecture.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:infinity:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9AA500E7-CE8A-4943-B747-F3C69A6507D5",
"versionEndExcluding": "8.7.3",
"versionStartIncluding": "8.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "If an on-premise installation of the Pega Platform is configured with the port for the JMX interface exposed to the Internet and port filtering is not properly configured, then it may be possible to upload serialized payloads to attack the underlying system. This does not affect systems running on PegaCloud due to its design and architecture."
},
{
"lang": "es",
"value": "Si una instalaci\u00f3n local de Pega Platform est\u00e1 configurada con el puerto de la interfaz JMX expuesto a Internet y el filtrado de puertos no est\u00e1 configurado apropiadamente, puede ser posible cargar cargas \u00fatiles serializadas para atacar el sistema subyacente. Esto no afecta a sistemas que son ejecutados en PegaCloud debido a su dise\u00f1o y arquitectura."
}
],
"id": "CVE-2022-24082",
"lastModified": "2024-11-21T06:49:46.687",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security@pega.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-07-19T15:15:08.487",
"references": [
{
"source": "security@pega.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/169480/Pega-Platform-8.7.3-Remote-Code-Execution.html"
},
{
"source": "security@pega.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-b22-vulnerability-%E2%80%93-hotfix-matrix-0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/169480/Pega-Platform-8.7.3-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-b22-vulnerability-%E2%80%93-hotfix-matrix-0"
}
],
"sourceIdentifier": "security@pega.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "security@pega.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-09-12 15:18
Modified
2024-09-13 16:08
Severity ?
5.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@pega.com | https://support.pega.com/support-doc/pega-security-advisory-c24-vulnerability-remediation-note | Permissions Required |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:infinity:*:*:*:*:*:*:*:*",
"matchCriteriaId": "79AAC3AD-80E6-41D7-BE07-A0233AE65396",
"versionEndExcluding": "24.1.3",
"versionStartIncluding": "8.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type."
},
{
"lang": "es",
"value": "Las versiones 8.1 a Infinity 24.1.2 de Pega Platform est\u00e1n afectadas por una vulnerabilidad XSS con el atributo Case Type."
}
],
"id": "CVE-2024-6701",
"lastModified": "2024-09-13T16:08:43.407",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 4.2,
"source": "security@pega.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-12T15:18:26.953",
"references": [
{
"source": "security@pega.com",
"tags": [
"Permissions Required"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-c24-vulnerability-remediation-note"
}
],
"sourceIdentifier": "security@pega.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@pega.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-12-05 16:15
Modified
2025-03-10 14:02
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:infinity:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5628F446-52F1-4E5D-8F7A-37089813480A",
"versionEndIncluding": "8.8.5",
"versionStartIncluding": "8.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pega:infinity:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F27257EC-F3C5-4A3E-AEA1-1E61017ED342",
"versionEndExcluding": "23.1.4",
"versionStartIncluding": "23.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pega:infinity:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DA864E3E-F22D-4873-8BFC-4F44077A722B",
"versionEndExcluding": "24.1.2",
"versionStartIncluding": "24.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pega:infinity:24.2:*:*:*:*:*:*:*",
"matchCriteriaId": "741C22CD-E195-4D1C-AA28-D65395F21DC0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search."
},
{
"lang": "es",
"value": "Las versiones 8.1 a Infinity 24.2.0 de Pega Platform se ven afectadas por un problema de XSS con la b\u00fasqueda."
}
],
"id": "CVE-2024-10716",
"lastModified": "2025-03-10T14:02:57.913",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 4.2,
"source": "security@pega.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-12-05T16:15:23.767",
"references": [
{
"source": "security@pega.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-e24-vulnerability-remediation-note"
}
],
"sourceIdentifier": "security@pega.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@pega.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-28 20:15
Modified
2024-11-21 05:58
Severity ?
Summary
Forgotten password reset functionality for local accounts can be used to bypass local authentication checks.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:infinity:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2D31FCC6-430E-42D4-A56F-3EF692D964E0",
"versionEndIncluding": "8.6.1",
"versionStartIncluding": "8.2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Forgotten password reset functionality for local accounts can be used to bypass local authentication checks."
},
{
"lang": "es",
"value": "La funcionalidad Forgotten password reset para cuentas locales puede ser usada para omitir las comprobaciones de autenticaci\u00f3n local"
}
],
"id": "CVE-2021-27654",
"lastModified": "2024-11-21T05:58:23.043",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security@pega.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-28T20:15:10.987",
"references": [
{
"source": "security@pega.com",
"tags": [
"Vendor Advisory"
],
"url": "https://collaborate.pega.com/discussion/pega-security-advisory-c21"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://collaborate.pega.com/discussion/pega-security-advisory-c21"
}
],
"sourceIdentifier": "security@pega.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-640"
}
],
"source": "security@pega.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-640"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-20 15:15
Modified
2025-03-10 17:40
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pega:infinity:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF2C2C81-202E-4438-B260-E25E13663B12",
"versionEndExcluding": "8.1.9",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pega:infinity:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9B60ED89-0F45-4A67-8ECD-F3CF9AA32D0E",
"versionEndExcluding": "8.2.8",
"versionStartIncluding": "8.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pega:infinity:*:*:*:*:*:*:*:*",
"matchCriteriaId": "95979B2B-5E3B-45BA-83FC-345A8A2C0A3D",
"versionEndExcluding": "8.3.6",
"versionStartIncluding": "8.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pega:infinity:*:*:*:*:*:*:*:*",
"matchCriteriaId": "93B4B63F-1901-43F0-84B8-6BA23A3C7A6E",
"versionEndExcluding": "8.4.6",
"versionStartIncluding": "8.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pega:infinity:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B81846D8-F161-4CDC-BDFF-C0976CA168D2",
"versionEndExcluding": "8.5.6",
"versionStartIncluding": "8.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pega:infinity:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C6BE0736-5708-4DA1-AFF1-6DE3AC547987",
"versionEndExcluding": "8.6.6 ",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pega:infinity:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3E1F2D18-8614-4F8E-926A-371B58F429B1",
"versionEndIncluding": "8.8.5",
"versionStartIncluding": "8.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pega:infinity:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5B4F288B-3CDC-4728-82C2-B2A3AA222789",
"versionEndExcluding": "23.1.4 ",
"versionStartIncluding": "23.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pega:infinity:*:*:*:*:*:*:*:*",
"matchCriteriaId": "463BDA9B-6556-4DA1-921E-43EBD9145D96",
"versionEndExcluding": "24.1.2 ",
"versionStartIncluding": "24.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code"
},
{
"lang": "es",
"value": "Las versiones 6.x a Infinity 24.1.1 de Pega Platform se ven afectadas por un problema con el control inadecuado de la generaci\u00f3n de c\u00f3digo"
}
],
"id": "CVE-2024-10094",
"lastModified": "2025-03-10T17:40:08.723",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security@pega.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-20T15:15:08.083",
"references": [
{
"source": "security@pega.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d24-vulnerability-remediation-note"
}
],
"sourceIdentifier": "security@pega.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "security@pega.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2021-27654 (GCVE-0-2021-27654)
Vulnerability from cvelistv5
Published
2022-01-28 19:09
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Summary
Forgotten password reset functionality for local accounts can be used to bypass local authentication checks.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Version: 8.2.1 < unspecified Version: unspecified < 8.6.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.620Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://collaborate.pega.com/discussion/pega-security-advisory-c21"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.2.1",
"versionType": "custom"
},
{
"lessThan": "8.6.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Forgotten password reset functionality for local accounts can be used to bypass local authentication checks."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitCodeMaturity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 8.4,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-28T19:09:31",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://collaborate.pega.com/discussion/pega-security-advisory-c21"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pega.com",
"ID": "CVE-2021-27654",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pega Infinity",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "8.2.1"
},
{
"version_affected": "\u003c",
"version_value": "8.6.1"
}
]
}
}
]
},
"vendor_name": "Pegasystems"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Forgotten password reset functionality for local accounts can be used to bypass local authentication checks."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "H",
"AC": "L",
"AV": "N",
"C": "H",
"I": "H",
"PR": "N",
"S": "U",
"UI": "R"
},
"EM": {
"AR": "H",
"CR": "H",
"IR": "H",
"MA": "H",
"MAC": "L",
"MAV": "N",
"MC": "H",
"MI": "H",
"MPR": "N",
"MS": "U",
"MUI": "R"
},
"TM": {
"E": "H",
"RC": "C",
"RL": "O"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://collaborate.pega.com/discussion/pega-security-advisory-c21",
"refsource": "MISC",
"url": "https://collaborate.pega.com/discussion/pega-security-advisory-c21"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2021-27654",
"datePublished": "2022-01-28T19:09:31",
"dateReserved": "2021-02-24T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6702 (GCVE-0-2024-6702)
Vulnerability from cvelistv5
Published
2024-09-12 14:25
Modified
2024-09-12 15:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Summary
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Version: 8.1 < 24.1.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6702",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T15:04:40.842270Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T15:04:50.576Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "24.1.3",
"status": "affected",
"version": "8.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Andrea Solenne"
},
{
"lang": "en",
"type": "reporter",
"value": "Christian Romano"
},
{
"lang": "en",
"type": "reporter",
"value": "Lapo Mezzani"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T14:29:06.562Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-c24-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2024-6702",
"datePublished": "2024-09-12T14:25:44.692Z",
"dateReserved": "2024-07-11T18:55:54.085Z",
"dateUpdated": "2024-09-12T15:04:50.576Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24083 (GCVE-0-2022-24083)
Vulnerability from cvelistv5
Published
2022-07-25 16:07
Modified
2024-08-03 03:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
Password authentication bypass vulnerability for local accounts can be used to bypass local authentication checks.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Version: 7.3.1 < unspecified Version: unspecified < 8.7.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.635Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-c22-vulnerability-%E2%80%93-hotfix-matrix-0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.3.1",
"versionType": "custom"
},
{
"lessThan": "8.7.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Lewis Churchill and Daniel Wiseman, from Commonwealth Bank of Australia"
}
],
"descriptions": [
{
"lang": "en",
"value": "Password authentication bypass vulnerability for local accounts can be used to bypass local authentication checks."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:07:16",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-c22-vulnerability-%E2%80%93-hotfix-matrix-0"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pega.com",
"ID": "CVE-2022-24083",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pega Infinity",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "7.3.1"
},
{
"version_affected": "\u003c",
"version_value": "8.7.2"
}
]
}
}
]
},
"vendor_name": "Pegasystems"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Lewis Churchill and Daniel Wiseman, from Commonwealth Bank of Australia"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Password authentication bypass vulnerability for local accounts can be used to bypass local authentication checks."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "H",
"AC": "L",
"AV": "N",
"C": "H",
"I": "H",
"PR": "N",
"S": "U",
"UI": "N"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285: Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.pega.com/support-doc/pega-security-advisory-c22-vulnerability-%E2%80%93-hotfix-matrix-0",
"refsource": "MISC",
"url": "https://support.pega.com/support-doc/pega-security-advisory-c22-vulnerability-%E2%80%93-hotfix-matrix-0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2022-24083",
"datePublished": "2022-07-25T16:07:16",
"dateReserved": "2022-01-27T00:00:00",
"dateUpdated": "2024-08-03T03:59:23.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27653 (GCVE-0-2021-27653)
Vulnerability from cvelistv5
Published
2021-04-01 18:38
Modified
2024-09-16 23:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
Misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 - 8.5.x could lead to unintended data exposure.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pega Systems | Pega Infinity |
Version: >=7.4.0, <8.5.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.698Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://collaborate.pega.com/discussion/pega-security-advisory-%E2%80%93-b21"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://robertwillishacking.com/census-vulnerability-exposes-10k-oauth-tokens-thousands-of-user-records/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pega Infinity",
"vendor": "Pega Systems",
"versions": [
{
"status": "affected",
"version": "\u003e=7.4.0, \u003c8.5.3"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Sakura Samurai Robert Willis, Aubrey Cottle, Jackson Henry, and John Jackson, Collaborator Break3r"
}
],
"datePublic": "2021-03-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 - 8.5.x could lead to unintended data exposure."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-12T16:02:55",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://collaborate.pega.com/discussion/pega-security-advisory-%E2%80%93-b21"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://robertwillishacking.com/census-vulnerability-exposes-10k-oauth-tokens-thousands-of-user-records/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pega.com",
"DATE_PUBLIC": "2021-03-30T16:45:00.000Z",
"ID": "CVE-2021-27653",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pega Infinity",
"version": {
"version_data": [
{
"version_value": "\u003e=7.4.0, \u003c8.5.3"
}
]
}
}
]
},
"vendor_name": "Pega Systems"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Sakura Samurai Robert Willis, Aubrey Cottle, Jackson Henry, and John Jackson, Collaborator Break3r"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 - 8.5.x could lead to unintended data exposure."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://collaborate.pega.com/discussion/pega-security-advisory-%E2%80%93-b21",
"refsource": "MISC",
"url": "https://collaborate.pega.com/discussion/pega-security-advisory-%E2%80%93-b21"
},
{
"name": "https://robertwillishacking.com/census-vulnerability-exposes-10k-oauth-tokens-thousands-of-user-records/",
"refsource": "MISC",
"url": "https://robertwillishacking.com/census-vulnerability-exposes-10k-oauth-tokens-thousands-of-user-records/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2021-27653",
"datePublished": "2021-04-01T18:38:57.721776Z",
"dateReserved": "2021-02-24T00:00:00",
"dateUpdated": "2024-09-16T23:11:02.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10716 (GCVE-0-2024-10716)
Vulnerability from cvelistv5
Published
2024-12-05 15:28
Modified
2024-12-05 16:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Version: 8.1 < 24.2.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10716",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-05T16:30:51.236868Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T16:30:58.223Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "24.2.1",
"status": "affected",
"version": "8.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Konrad Zbylut"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T15:45:17.602Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-e24-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2024-10716",
"datePublished": "2024-12-05T15:28:29.644Z",
"dateReserved": "2024-11-01T22:15:22.698Z",
"dateUpdated": "2024-12-05T16:30:58.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24082 (GCVE-0-2022-24082)
Vulnerability from cvelistv5
Published
2022-07-19 00:00
Modified
2024-08-03 03:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Summary
If an on-premise installation of the Pega Platform is configured with the port for the JMX interface exposed to the Internet and port filtering is not properly configured, then it may be possible to upload serialized payloads to attack the underlying system. This does not affect systems running on PegaCloud due to its design and architecture.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Version: 8.1.0 < unspecified Version: unspecified < 8.7.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.700Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-b22-vulnerability-%E2%80%93-hotfix-matrix-0"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/169480/Pega-Platform-8.7.3-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Marcin Wolak, Rabobank Red Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "If an on-premise installation of the Pega Platform is configured with the port for the JMX interface exposed to the Internet and port filtering is not properly configured, then it may be possible to upload serialized payloads to attack the underlying system. This does not affect systems running on PegaCloud due to its design and architecture."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-24T00:00:00",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-b22-vulnerability-%E2%80%93-hotfix-matrix-0"
},
{
"url": "http://packetstormsecurity.com/files/169480/Pega-Platform-8.7.3-Remote-Code-Execution.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2022-24082",
"datePublished": "2022-07-19T00:00:00",
"dateReserved": "2022-01-27T00:00:00",
"dateUpdated": "2024-08-03T03:59:23.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6701 (GCVE-0-2024-6701)
Vulnerability from cvelistv5
Published
2024-09-12 14:25
Modified
2024-09-12 15:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Version: 8.1 < 24.1.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6701",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T15:05:41.616361Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T15:05:49.076Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "24.1.3",
"status": "affected",
"version": "8.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Andrea Solenne"
},
{
"lang": "en",
"type": "reporter",
"value": "Christian Romano"
},
{
"lang": "en",
"type": "reporter",
"value": "Lapo Mezzani"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T14:25:28.473Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-c24-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2024-6701",
"datePublished": "2024-09-12T14:25:28.473Z",
"dateReserved": "2024-07-11T18:55:52.822Z",
"dateUpdated": "2024-09-12T15:05:49.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27651 (GCVE-0-2021-27651)
Vulnerability from cvelistv5
Published
2021-04-29 14:47
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Version: 8.2.1 < unspecified Version: unspecified < 8.5.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.645Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://collaborate.pega.com/discussion/pega-security-advisory-a21-hotfix-matrix"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.2.1",
"versionType": "custom"
},
{
"lessThan": "8.5.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Samuel Curry (@samwcyo), Brett Buerhaus (@bbuerhaus), Maik Robert (@xEHLE_), Justin Rhinehart (@sshell_)"
}
],
"descriptions": [
{
"lang": "en",
"value": "In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitCodeMaturity": "FUNCTIONAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 9.1,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-29T14:47:20",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://collaborate.pega.com/discussion/pega-security-advisory-a21-hotfix-matrix"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pega.com",
"ID": "CVE-2021-27651",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pega Infinity",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "8.2.1"
},
{
"version_affected": "\u003c",
"version_value": "8.5.2"
}
]
}
}
]
},
"vendor_name": "Pegasystems"
}
]
}
},
"credit": "Samuel Curry (@samwcyo), Brett Buerhaus (@bbuerhaus), Maik Robert (@xEHLE_), Justin Rhinehart (@sshell_)",
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "H",
"AC": "L",
"AV": "N",
"C": "H",
"I": "H",
"PR": "N",
"S": "U",
"UI": "N"
},
"EM": {
"AR": "H",
"CR": "H",
"IR": "H",
"MA": "L",
"MAC": "L",
"MAV": "N",
"MC": "L",
"MI": "L",
"MPR": "N",
"MS": "U",
"MUI": "R"
},
"TM": {
"E": "F",
"RC": "C",
"RL": "O"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://collaborate.pega.com/discussion/pega-security-advisory-a21-hotfix-matrix",
"refsource": "CONFIRM",
"url": "https://collaborate.pega.com/discussion/pega-security-advisory-a21-hotfix-matrix"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2021-27651",
"datePublished": "2021-04-29T14:47:20",
"dateReserved": "2021-02-24T00:00:00",
"dateUpdated": "2024-08-03T21:26:10.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6700 (GCVE-0-2024-6700)
Vulnerability from cvelistv5
Published
2024-09-12 14:24
Modified
2024-09-12 15:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with App name.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Version: 8.1 < 24.1.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6700",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T15:06:33.383533Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T15:06:40.532Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "24.1.3",
"status": "affected",
"version": "8.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Andrea Solenne"
},
{
"lang": "en",
"type": "reporter",
"value": "Christian Romano"
},
{
"lang": "en",
"type": "reporter",
"value": "Lapo Mezzani"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with App name.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with App name."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T14:24:08.681Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-c24-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2024-6700",
"datePublished": "2024-09-12T14:24:08.681Z",
"dateReserved": "2024-07-11T18:55:50.150Z",
"dateUpdated": "2024-09-12T15:06:40.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10094 (GCVE-0-2024-10094)
Vulnerability from cvelistv5
Published
2024-11-20 14:45
Modified
2024-11-20 15:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Summary
Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Version: 6.1 < 24.1.2 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pegasystems:pega_infinity:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "pega_infinity",
"vendor": "pegasystems",
"versions": [
{
"lessThan": "24.1.2",
"status": "affected",
"version": "6.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10094",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T15:37:50.121588Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T15:39:07.542Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "24.1.2",
"status": "affected",
"version": "6.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Daniel Wiseman from Commonwealth Bank of Australia"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code"
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T14:45:22.464Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-d24-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2024-10094",
"datePublished": "2024-11-20T14:45:22.464Z",
"dateReserved": "2024-10-17T16:14:24.687Z",
"dateUpdated": "2024-11-20T15:39:07.542Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}