CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16374
https://notcve.org/view.php?id=CVE-2019-16374
Pega Platform 8.2.1 allows LDAP injection because a username can contain a * character and can be of unlimited length. An attacker can specify four characters of a username, followed by the * character, to bypass access control. Pega Platform versión 8.2.1, permite una inyección de LDAP porque un nombre de usuario puede contener un carácter * y puede ser de una longitud ilimitada. Un atacante puede especificar cuatro caracteres de un nombre de usuario, seguidos del carácter *, para omitir el control de acceso • https://community.pega.com/upgrade https://gist.github.com/IAG0110/0205823570ba04ec12e656f7f4602877 •
CVSS: 8.9EPSS: 0%CPEs: 1EXPL: 0CVE-2020-8775
https://notcve.org/view.php?id=CVE-2020-8775
Pega Platform before version 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability in the comment tags. Pega Platform versiones anteriores a 8.2.6, está afectada por una vulnerabilidad de tipo Cross-Site Scripting (XSS) Almacenado en las etiquetas de comentarios. • https://community.pega.com/knowledgebase/products/platform/resolved-issues?q=issue%20529706&f%5B0%5D=version%3A32536 https://www.pega.com/products/pega-platform • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.9EPSS: 0%CPEs: 1EXPL: 0CVE-2020-8773
https://notcve.org/view.php?id=CVE-2020-8773
The Richtext Editor in Pega Platform before 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability. El Richtext Editor en Pega Platform versiones anteriores a 8.2.6, está afectado por una vulnerabilidad de tipo Cross-Site Scripting (XSS) Almacenado. • https://community.pega.com/knowledgebase/products/platform/resolved-issues?q=issue%20529706&f%5B0%5D=version%3A32536 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-8774
https://notcve.org/view.php?id=CVE-2020-8774
Pega Platform before version 8.2.6 is affected by a Reflected Cross-Site Scripting vulnerability in the "ActionStringID" function. Pega Platform versiones anteriores a 8.2.6, está afectada por una vulnerabilidad de tipo Cross-Site Scripting Reflejado en la función "ActionStringID". • https://community.pega.com/node/1913996 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2019-16388
https://notcve.org/view.php?id=CVE-2019-16388
PEGA Platform 8.3.0 is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyStream=MyAlerts request to get Audit Log information while using a low-privilege account. NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect ** EN DISPUTA ** PEGA Platform versión 8.3.0, es vulnerable a una divulgación de información por medio de una petición directa de prweb/sso/random_token/! • https://blog.cybercastrum.com/2019/11/25/cve-2019-16388 • CWE-425: Direct Request ('Forced Browsing') •