CVE-2019-16386

Name of the Vulnerable Software and Affected Versions PEGA Platform versions 7.x through 8.x

Description The issue allows for information disclosure via a direct request to /prweb/sso/random token/!STANDARD?pyActivity=GetWebInfo&target=popup&pzHarnessID=random harness id to obtain database schema information. This can be done while using a low-privilege account, although the vendor disputes the claim of low-privilege account usage, stating that the functions in question are normal administrator functions.

Recommendations For PEGA Platform versions 7.x through 8.x, consider restricting access to the /prweb/sso/random token/!STANDARD endpoint to minimize the risk of information disclosure. Additionally, review and limit the use of the pyActivity=GetWebInfo and target=popup parameters, as well as the pzHarnessID variable, to prevent unauthorized access to database schema information.