CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-35655
https://notcve.org/view.php?id=CVE-2022-35655
22 Aug 2022 — Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting. Pega Platform versiones desde 7.3 a 8.7.3, está afectada por un problema de tipo XSS debido a una configuración errónea de un ajuste de la página de datos. • https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-35654
https://notcve.org/view.php?id=CVE-2022-35654
22 Aug 2022 — Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter. Pega Platform versiones desde 8.5.4 a 8.7.3, está afectada por un problema de tipo XSS con un usuario no autenticado y el parámetro de redireccionamiento. • https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15390
https://notcve.org/view.php?id=CVE-2020-15390
12 Apr 2021 — pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper access control vulnerability via =GetWebInfo. pyActivity en Pega Platform versión 8.4.0.237, tiene una configuración inapropiada de seguridad que conlleva a una vulnerabilidad de control de acceso inapropiado por medio de =GetWebInfo • https://jayaramyalla.medium.com/sensitive-information-disclosure-due-to-improper-access-control-cve-2020-15390-124573c15824 • CWE-269: Improper Privilege Management •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-23957
https://notcve.org/view.php?id=CVE-2020-23957
15 Dec 2020 — Pega Platform through 8.4.x is affected by Cross Site Scripting (XSS) via the ConnectionID parameter, as demonstrated by a pyActivity=Data-TRACERSettings.pzStartTracerSession request to a PRAuth URI. Pega Platform versiones hasta 8.4.x, está afectada por una vulnerabilidad de tipo Cross Site Scripting (XSS) por medio del parámetro ConnectionID, como es demostrado por una petición pyActivity=Data-TRACERSettings.pzStartTracerSession hacia un URI PRAuth • https://jayaramyalla.medium.com/cross-site-scripting-in-pega-cve-2020-23957-16d1c417da5f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-24353
https://notcve.org/view.php?id=CVE-2020-24353
09 Nov 2020 — Pega Platform before 8.4.0 has a XSS issue via stream rule parameters used in the request header. Pega Platform versiones anteriores a 8.4.0, presenta un problema de tipo XSS por medio de los parámetros de reglas de transmisión usados en el encabezado de la petición • https://community.pega.com/knowledgebase/products/platform/release-notes • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2019-16374
https://notcve.org/view.php?id=CVE-2019-16374
13 Aug 2020 — Pega Platform 8.2.1 allows LDAP injection because a username can contain a * character and can be of unlimited length. An attacker can specify four characters of a username, followed by the * character, to bypass access control. Pega Platform versión 8.2.1, permite una inyección de LDAP porque un nombre de usuario puede contener un carácter * y puede ser de una longitud ilimitada. Un atacante puede especificar cuatro caracteres de un nombre de usuario, seguidos del carácter *, para omitir el control de acce... • https://community.pega.com/upgrade •
CVSS: 8.9EPSS: 0%CPEs: 1EXPL: 0CVE-2020-8775
https://notcve.org/view.php?id=CVE-2020-8775
29 Apr 2020 — Pega Platform before version 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability in the comment tags. Pega Platform versiones anteriores a 8.2.6, está afectada por una vulnerabilidad de tipo Cross-Site Scripting (XSS) Almacenado en las etiquetas de comentarios. • https://community.pega.com/knowledgebase/products/platform/resolved-issues?q=issue%20529706&f%5B0%5D=version%3A32536 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.9EPSS: 0%CPEs: 1EXPL: 0CVE-2020-8773
https://notcve.org/view.php?id=CVE-2020-8773
29 Apr 2020 — The Richtext Editor in Pega Platform before 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability. El Richtext Editor en Pega Platform versiones anteriores a 8.2.6, está afectado por una vulnerabilidad de tipo Cross-Site Scripting (XSS) Almacenado. • https://community.pega.com/knowledgebase/products/platform/resolved-issues?q=issue%20529706&f%5B0%5D=version%3A32536 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-8774
https://notcve.org/view.php?id=CVE-2020-8774
29 Apr 2020 — Pega Platform before version 8.2.6 is affected by a Reflected Cross-Site Scripting vulnerability in the "ActionStringID" function. Pega Platform versiones anteriores a 8.2.6, está afectada por una vulnerabilidad de tipo Cross-Site Scripting Reflejado en la función "ActionStringID". • https://community.pega.com/node/1913996 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2019-16388
https://notcve.org/view.php?id=CVE-2019-16388
26 Nov 2019 — PEGA Platform 8.3.0 is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyStream=MyAlerts request to get Audit Log information while using a low-privilege account. NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect ** EN DISPUTA ** PEGA Platform versión 8.3.0, es vulnerable a una divulgación de informaci... • https://blog.cybercastrum.com/2019/11/25/cve-2019-16388 • CWE-425: Direct Request ('Forced Browsing') •