PT-2020-15605 · Pegasystems · Pega Platform
Published
2020-12-15
·
Updated
2020-12-17
·
CVE-2020-23957
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Pega Platform versions prior to 8.5
Description
The issue is related to Cross Site Scripting (XSS) and affects the Pega Platform. It occurs via the
ConnectionID parameter, as demonstrated by a pyActivity=Data-TRACERSettings.pzStartTracerSession request to a PRAuth URI.Recommendations
For Pega Platform versions prior to 8.5, consider disabling the
ConnectionID parameter or restricting access to the PRAuth URI until a patch is available. As a temporary workaround, avoid using the ConnectionID parameter in requests to the PRAuth URI.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pega Platform