CVE-2017-11356 – PEGA Platform <= 7.2 ML0 - Missing Access Control / Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2017-11356

The application distribution export functionality in PEGA Platform 7.2 ML0 and earlier allows remote authenticated users with certain privileges to obtain sensitive configuration information by leveraging a missing access control. La funcionalidad de exportación de distribuciones de aplicaciones en PEGA Platform 7.2 ML0 y anteriores permite que los usuarios autenticados con los privilegios adecuados obtengan información sensible de configuraciones usando un control de acceso que no existía. PEGA Platform versions 7.2 ML0 and below suffer from missing access control and cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/42335 http://seclists.org/fulldisclosure/2017/Jul/28 https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-11355-and-cve-2017-11356/pegasystems-security-bulletin-cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •