Eric Kahlert

**Name of the Vulnerable Software and Affected Versions** Pega Platform versions 7.1.0 through Infinity 25.1.0 **Description** Pega Platform is affected by a User Enumeration issue. A remote unauthenticated user could determine the validity of a username by observing differences in response times during the user authentication process. This issue is related to the deprecated basic-authentication feature, and more secure authentication mechanisms are recommended. The `username` parameter is involved in this process. **Recommendations** Versions 7.1.0 through 24.1.3 require updating to version 24.1.4 or later. Versions 24.1.4 through 24.2.3 require updating to version 24.2.4 or later. Versions 24.2.4 through 25.1.0 require updating to version 25.1.1 or later. Consider disabling the basic-authentication feature and adopting more secure authentication mechanisms.

**Name of the Vulnerable Software and Affected Versions** Pega Platform versions 8.7.5 through 24.2.2 **Description** The Pega Platform contains an Insecure Direct Object Reference issue within a user interface component. This issue allows for the reading of data. **Recommendations** Update to a version later than 24.2.2.