CVE-2021-27653

Name of the Vulnerable Software and Affected Versions Pega platform versions 7.4.0 through 8.5.x

Description The issue is related to a misconfiguration of the Pega Chat Access Group portal, which could lead to unintended data exposure. This misconfiguration allowed attackers to gain access to confidential records, capture user accounts, and download a significant amount of company and customer data. The vulnerability was discovered by researchers Robert Willis and break3r, along with representatives of Sakura Samurai. After the researchers reported their findings, Pega relatively quickly fixed the issue. However, Ford, whose servers were running the affected Pega Infinity system, did not respond adequately to the vulnerability disclosure and did not offer any rewards to the researchers. It is currently unknown whether the vulnerability was exploited in the wild.

Recommendations For Pega platform versions 7.4.0 through 8.5.x, update the Pega Chat Access Group portal configuration to prevent unintended data exposure. As a temporary workaround, consider restricting access to the vulnerable portal until a patch is available. Additionally, review and strengthen access controls to prevent unauthorized access to sensitive data.