Cross-Site Scripting Vulnerability in Pega Platform by Pega Systems
CVE-2022-35655

6.1MEDIUM

Key Information:

Vendor

Pegasystems

Status
Pega Infinity
Vendor
CVE Published:
22 August 2022

What is CVE-2022-35655?

The Pega Platform versions ranging from 7.3 to 8.7.3 contain an XSS vulnerability resulting from the misconfiguration of a datapage setting. This flaw could potentially allow an attacker to inject malicious scripts into pages that are viewed by other users, compromising sensitive data and user sessions. Pega Systems has issued advisory notes and hotfixes (available in the advisory) to address this vulnerability, underscoring the importance of configuring datapages correctly to prevent exploitation.

Affected Version(s)

Pega Infinity 7.3

Pega Infinity < 8.7.3

References

https://support.pega.com/support-doc/pega-security-adviso...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

CVSS V3.0

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kane Gamble from Blackfoot UK
.