Search criteria
38 vulnerabilities found for Pega Infinity by Pegasystems
CVE-2025-62181 (GCVE-0-2025-62181)
Vulnerability from nvd – Published: 2025-12-10 20:41 – Updated: 2025-12-11 15:32
VLAI?
Title
Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration where during user authentication process, a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not.
Summary
Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only applies to deprecated basic-authentication feature and other more secure authentication mechanisms are recommended. A fix is being provided in the 24.1.4, 24.2.4, and 25.1.1 patch releases. Please note: Basic credentials authentication service type is deprecated started in 24.2 version: https://docs.pega.com/bundle/platform/page/platform/release-notes/security/whats-new-security-242.html.
Severity ?
5.3 (Medium)
CWE
- CWE-204 - Observable Response Discrepancy
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
7.1.0 , < Infinity 25.1.1
(custom)
|
Credits
Eric Kahlert from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/)
Louis Sohier of ENGIE IT Offensive Cybersecurity Team
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62181",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-11T15:25:30.998804Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T15:32:31.153Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "Infinity 25.1.1",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Eric Kahlert from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/)"
},
{
"lang": "en",
"type": "finder",
"value": "Louis Sohier of ENGIE IT Offensive Cybersecurity Team"
}
],
"datePublic": "2025-12-10T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only applies to deprecated basic-authentication feature and other more secure authentication mechanisms are recommended. A fix is being provided in the 24.1.4, 24.2.4, and 25.1.1 patch releases. Please note: Basic credentials authentication service type is deprecated started in 24.2 version: https://docs.pega.com/bundle/platform/page/platform/release-notes/security/whats-new-security-242.html.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only applies to deprecated basic-authentication feature and other more secure authentication mechanisms are recommended. A fix is being provided in the 24.1.4, 24.2.4, and 25.1.1 patch releases. Please note: Basic credentials authentication service type is deprecated started in 24.2 version: https://docs.pega.com/bundle/platform/page/platform/release-notes/security/whats-new-security-242.html."
}
],
"impacts": [
{
"capecId": "CAPEC-70",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-70 Try Common or Default Usernames and Passwords"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204: Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T20:41:08.517Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-j25-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration where during user authentication process, a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not.",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2025-62181",
"datePublished": "2025-12-10T20:41:08.517Z",
"dateReserved": "2025-10-07T19:04:27.220Z",
"dateUpdated": "2025-12-11T15:32:31.153Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-9559 (GCVE-0-2025-9559)
Vulnerability from nvd – Published: 2025-10-16 15:28 – Updated: 2025-10-16 18:13
VLAI?
Title
Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data
Summary
Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data.
Severity ?
6.5 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.7.5 , < Infinity 24.2.3
(custom)
|
Credits
Eric Kahlert from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9559",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T18:13:10.483009Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T18:13:47.670Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "Infinity 24.2.3",
"status": "affected",
"version": "8.7.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Eric Kahlert from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/)"
}
],
"datePublic": "2025-10-16T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T15:28:18.504Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-h25-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2025-9559",
"datePublished": "2025-10-16T15:28:18.504Z",
"dateReserved": "2025-08-27T20:01:46.786Z",
"dateUpdated": "2025-10-16T18:13:47.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8681 (GCVE-0-2025-8681)
Vulnerability from nvd – Published: 2025-09-10 16:00 – Updated: 2025-09-11 14:42
VLAI?
Title
Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component
Summary
Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. Requires a high privileged user with a developer role.
Severity ?
5.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
7.1.0 , < Infinity 24.2.3
(custom)
|
Credits
Louis Sohier of ENGIE IT Offensive Cybersecurity Team
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8681",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T14:27:19.118508Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:42:58.353Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "Infinity 24.2.3",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Louis Sohier of ENGIE IT Offensive Cybersecurity Team"
}
],
"datePublic": "2025-09-10T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. \u0026nbsp;Requires a high privileged user with a developer role.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. \u00a0Requires a high privileged user with a developer role."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T16:00:15.062Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-g25-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2025-8681",
"datePublished": "2025-09-10T16:00:15.062Z",
"dateReserved": "2025-08-06T19:51:28.073Z",
"dateUpdated": "2025-09-11T14:42:58.353Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2161 (GCVE-0-2025-2161)
Vulnerability from nvd – Published: 2025-04-14 14:19 – Updated: 2025-04-14 14:32
VLAI?
Summary
Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup
Severity ?
7.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
7.2.1 , < 24.2.2
(custom)
|
Credits
Kacper Paluch
Maciej Włodarczyk
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2161",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T14:32:26.201504Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T14:32:37.786Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "24.2.2",
"status": "affected",
"version": "7.2.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Kacper Paluch"
},
{
"lang": "en",
"type": "reporter",
"value": "Maciej W\u0142odarczyk"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T14:19:37.824Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d25-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2025-2161",
"datePublished": "2025-04-14T14:19:37.824Z",
"dateReserved": "2025-03-10T13:29:54.031Z",
"dateUpdated": "2025-04-14T14:32:37.786Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2160 (GCVE-0-2025-2160)
Vulnerability from nvd – Published: 2025-04-14 14:16 – Updated: 2025-04-14 14:32
VLAI?
Summary
Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup
Severity ?
8.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.4.3 , < 24.2.2
(custom)
|
Credits
Kacper Paluch
Maciej Włodarczyk
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2160",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T14:31:54.490718Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T14:32:12.589Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "24.2.2",
"status": "affected",
"version": "8.4.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Kacper Paluch"
},
{
"lang": "en",
"type": "reporter",
"value": "Maciej W\u0142odarczyk"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T14:16:34.517Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d25-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2025-2160",
"datePublished": "2025-04-14T14:16:34.517Z",
"dateReserved": "2025-03-10T13:29:52.653Z",
"dateUpdated": "2025-04-14T14:32:12.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12211 (GCVE-0-2024-12211)
Vulnerability from nvd – Published: 2025-01-13 16:14 – Updated: 2025-08-26 19:58
VLAI?
Summary
Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.1 , < 24.2.1
(custom)
|
Credits
Jordan Lyons
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-12211",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-13T17:23:40.336491Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T19:58:08.100Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "24.2.1",
"status": "affected",
"version": "8.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Jordan Lyons"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T16:14:59.224Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-f24-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2024-12211",
"datePublished": "2025-01-13T16:14:59.224Z",
"dateReserved": "2024-12-04T20:50:58.613Z",
"dateUpdated": "2025-08-26T19:58:08.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10716 (GCVE-0-2024-10716)
Vulnerability from nvd – Published: 2024-12-05 15:28 – Updated: 2024-12-05 16:30
VLAI?
Summary
Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search.
Severity ?
5.9 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.1 , < 24.2.1
(custom)
|
Credits
Konrad Zbylut
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10716",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-05T16:30:51.236868Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T16:30:58.223Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "24.2.1",
"status": "affected",
"version": "8.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Konrad Zbylut"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T15:45:17.602Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-e24-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2024-10716",
"datePublished": "2024-12-05T15:28:29.644Z",
"dateReserved": "2024-11-01T22:15:22.698Z",
"dateUpdated": "2024-12-05T16:30:58.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10094 (GCVE-0-2024-10094)
Vulnerability from nvd – Published: 2024-11-20 14:45 – Updated: 2024-11-20 15:39
VLAI?
Summary
Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code
Severity ?
9.1 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
6.1 , < 24.1.2
(custom)
|
Credits
Daniel Wiseman from Commonwealth Bank of Australia
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pegasystems:pega_infinity:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "pega_infinity",
"vendor": "pegasystems",
"versions": [
{
"lessThan": "24.1.2",
"status": "affected",
"version": "6.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10094",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T15:37:50.121588Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T15:39:07.542Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "24.1.2",
"status": "affected",
"version": "6.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Daniel Wiseman from Commonwealth Bank of Australia"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code"
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T14:45:22.464Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-d24-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2024-10094",
"datePublished": "2024-11-20T14:45:22.464Z",
"dateReserved": "2024-10-17T16:14:24.687Z",
"dateUpdated": "2024-11-20T15:39:07.542Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6702 (GCVE-0-2024-6702)
Vulnerability from nvd – Published: 2024-09-12 14:25 – Updated: 2024-09-12 15:04
VLAI?
Summary
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage.
Severity ?
5.2 (Medium)
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.1 , < 24.1.3
(custom)
|
Credits
Andrea Solenne
Christian Romano
Lapo Mezzani
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6702",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T15:04:40.842270Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T15:04:50.576Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "24.1.3",
"status": "affected",
"version": "8.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Andrea Solenne"
},
{
"lang": "en",
"type": "reporter",
"value": "Christian Romano"
},
{
"lang": "en",
"type": "reporter",
"value": "Lapo Mezzani"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T14:29:06.562Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-c24-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2024-6702",
"datePublished": "2024-09-12T14:25:44.692Z",
"dateReserved": "2024-07-11T18:55:54.085Z",
"dateUpdated": "2024-09-12T15:04:50.576Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6701 (GCVE-0-2024-6701)
Vulnerability from nvd – Published: 2024-09-12 14:25 – Updated: 2024-09-12 15:05
VLAI?
Summary
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type.
Severity ?
5.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.1 , < 24.1.3
(custom)
|
Credits
Andrea Solenne
Christian Romano
Lapo Mezzani
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6701",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T15:05:41.616361Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T15:05:49.076Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "24.1.3",
"status": "affected",
"version": "8.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Andrea Solenne"
},
{
"lang": "en",
"type": "reporter",
"value": "Christian Romano"
},
{
"lang": "en",
"type": "reporter",
"value": "Lapo Mezzani"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T14:25:28.473Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-c24-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2024-6701",
"datePublished": "2024-09-12T14:25:28.473Z",
"dateReserved": "2024-07-11T18:55:52.822Z",
"dateUpdated": "2024-09-12T15:05:49.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6700 (GCVE-0-2024-6700)
Vulnerability from nvd – Published: 2024-09-12 14:24 – Updated: 2024-09-12 15:06
VLAI?
Summary
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with App name.
Severity ?
5.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.1 , < 24.1.3
(custom)
|
Credits
Andrea Solenne
Christian Romano
Lapo Mezzani
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6700",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T15:06:33.383533Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T15:06:40.532Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "24.1.3",
"status": "affected",
"version": "8.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Andrea Solenne"
},
{
"lang": "en",
"type": "reporter",
"value": "Christian Romano"
},
{
"lang": "en",
"type": "reporter",
"value": "Lapo Mezzani"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with App name.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with App name."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T14:24:08.681Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-c24-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2024-6700",
"datePublished": "2024-09-12T14:24:08.681Z",
"dateReserved": "2024-07-11T18:55:50.150Z",
"dateUpdated": "2024-09-12T15:06:40.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26465 (GCVE-0-2023-26465)
Vulnerability from nvd – Published: 2023-06-09 00:00 – Updated: 2025-01-06 19:24
VLAI?
Summary
Pega Platform versions 7.2 to 8.8.1 are affected by an XSS issue.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
7.2 , < unspecified
(custom)
Affected: unspecified , < 8.8.2 (custom) |
Credits
Maciej Piechota
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:53:54.564Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-a23-vulnerability-remediation-note"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26465",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T19:24:32.307051Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T19:24:44.238Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.2",
"versionType": "custom"
},
{
"lessThan": "8.8.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Maciej Piechota"
}
],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform versions 7.2 to 8.8.1 are affected by an XSS issue."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-09T00:00:00",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-a23-vulnerability-remediation-note"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-26465",
"datePublished": "2023-06-09T00:00:00",
"dateReserved": "2023-02-23T00:00:00",
"dateUpdated": "2025-01-06T19:24:44.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35656 (GCVE-0-2022-35656)
Vulnerability from nvd – Published: 2022-08-22 14:47 – Updated: 2024-08-03 09:36
VLAI?
Summary
Pega Platform from 8.3 to 8.7.3 vulnerability may allow authenticated security administrators to alter CSRF settings directly.
Severity ?
6.8 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.3 , < unspecified
(custom)
Affected: unspecified , < 8.7.3 (custom) |
Credits
Kane Gamble from Blackfoot UK
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:36:44.428Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.3",
"versionType": "custom"
},
{
"lessThan": "8.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kane Gamble from Blackfoot UK"
}
],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform from 8.3 to 8.7.3 vulnerability may allow authenticated security administrators to alter CSRF settings directly."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-23T15:44:49",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pega.com",
"ID": "CVE-2022-35656",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pega Infinity",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "8.3"
},
{
"version_affected": "\u003c",
"version_value": "8.7.3"
}
]
}
}
]
},
"vendor_name": "Pegasystems"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kane Gamble from Blackfoot UK"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pega Platform from 8.3 to 8.7.3 vulnerability may allow authenticated security administrators to alter CSRF settings directly."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "H",
"AC": "L",
"AV": "N",
"C": "H",
"I": "H",
"PR": "H",
"S": "U",
"UI": "R"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352: Cross-Site Request Forgery"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix",
"refsource": "MISC",
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2022-35656",
"datePublished": "2022-08-22T14:47:57",
"dateReserved": "2022-07-12T00:00:00",
"dateUpdated": "2024-08-03T09:36:44.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35655 (GCVE-0-2022-35655)
Vulnerability from nvd – Published: 2022-08-22 14:47 – Updated: 2024-08-03 09:36
VLAI?
Summary
Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Cross-Site Scripting
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
7.3 , < unspecified
(custom)
Affected: unspecified , < 8.7.3 (custom) |
Credits
Kane Gamble from Blackfoot UK
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:36:44.449Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.3",
"versionType": "custom"
},
{
"lessThan": "8.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kane Gamble from Blackfoot UK"
}
],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Cross-Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-23T15:44:33",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pega.com",
"ID": "CVE-2022-35655",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pega Infinity",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "7.3"
},
{
"version_affected": "\u003c",
"version_value": "8.7.3"
}
]
}
}
]
},
"vendor_name": "Pegasystems"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kane Gamble from Blackfoot UK"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "N",
"AC": "L",
"AV": "N",
"C": "L",
"I": "L",
"PR": "N",
"S": "C",
"UI": "R"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix",
"refsource": "MISC",
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2022-35655",
"datePublished": "2022-08-22T14:47:36",
"dateReserved": "2022-07-12T00:00:00",
"dateUpdated": "2024-08-03T09:36:44.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35654 (GCVE-0-2022-35654)
Vulnerability from nvd – Published: 2022-08-22 14:46 – Updated: 2024-08-03 09:36
VLAI?
Summary
Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Cross-Site Scripting
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.5.4 , < unspecified
(custom)
Affected: unspecified , < 8.7.3 (custom) |
Credits
Kane Gamble from Blackfoot UK
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:36:44.414Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.5.4",
"versionType": "custom"
},
{
"lessThan": "8.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kane Gamble from Blackfoot UK"
}
],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Cross-Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-23T15:45:07",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pega.com",
"ID": "CVE-2022-35654",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pega Infinity",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "8.5.4"
},
{
"version_affected": "\u003c",
"version_value": "8.7.3"
}
]
}
}
]
},
"vendor_name": "Pegasystems"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kane Gamble from Blackfoot UK"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "N",
"AC": "L",
"AV": "N",
"C": "L",
"I": "L",
"PR": "N",
"S": "C",
"UI": "R"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix",
"refsource": "MISC",
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2022-35654",
"datePublished": "2022-08-22T14:46:53",
"dateReserved": "2022-07-12T00:00:00",
"dateUpdated": "2024-08-03T09:36:44.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62181 (GCVE-0-2025-62181)
Vulnerability from cvelistv5 – Published: 2025-12-10 20:41 – Updated: 2025-12-11 15:32
VLAI?
Title
Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration where during user authentication process, a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not.
Summary
Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only applies to deprecated basic-authentication feature and other more secure authentication mechanisms are recommended. A fix is being provided in the 24.1.4, 24.2.4, and 25.1.1 patch releases. Please note: Basic credentials authentication service type is deprecated started in 24.2 version: https://docs.pega.com/bundle/platform/page/platform/release-notes/security/whats-new-security-242.html.
Severity ?
5.3 (Medium)
CWE
- CWE-204 - Observable Response Discrepancy
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
7.1.0 , < Infinity 25.1.1
(custom)
|
Credits
Eric Kahlert from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/)
Louis Sohier of ENGIE IT Offensive Cybersecurity Team
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62181",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-11T15:25:30.998804Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T15:32:31.153Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "Infinity 25.1.1",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Eric Kahlert from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/)"
},
{
"lang": "en",
"type": "finder",
"value": "Louis Sohier of ENGIE IT Offensive Cybersecurity Team"
}
],
"datePublic": "2025-12-10T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only applies to deprecated basic-authentication feature and other more secure authentication mechanisms are recommended. A fix is being provided in the 24.1.4, 24.2.4, and 25.1.1 patch releases. Please note: Basic credentials authentication service type is deprecated started in 24.2 version: https://docs.pega.com/bundle/platform/page/platform/release-notes/security/whats-new-security-242.html.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only applies to deprecated basic-authentication feature and other more secure authentication mechanisms are recommended. A fix is being provided in the 24.1.4, 24.2.4, and 25.1.1 patch releases. Please note: Basic credentials authentication service type is deprecated started in 24.2 version: https://docs.pega.com/bundle/platform/page/platform/release-notes/security/whats-new-security-242.html."
}
],
"impacts": [
{
"capecId": "CAPEC-70",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-70 Try Common or Default Usernames and Passwords"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204: Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T20:41:08.517Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-j25-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration where during user authentication process, a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not.",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2025-62181",
"datePublished": "2025-12-10T20:41:08.517Z",
"dateReserved": "2025-10-07T19:04:27.220Z",
"dateUpdated": "2025-12-11T15:32:31.153Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-9559 (GCVE-0-2025-9559)
Vulnerability from cvelistv5 – Published: 2025-10-16 15:28 – Updated: 2025-10-16 18:13
VLAI?
Title
Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data
Summary
Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data.
Severity ?
6.5 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.7.5 , < Infinity 24.2.3
(custom)
|
Credits
Eric Kahlert from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9559",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T18:13:10.483009Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T18:13:47.670Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "Infinity 24.2.3",
"status": "affected",
"version": "8.7.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Eric Kahlert from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/)"
}
],
"datePublic": "2025-10-16T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T15:28:18.504Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-h25-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2025-9559",
"datePublished": "2025-10-16T15:28:18.504Z",
"dateReserved": "2025-08-27T20:01:46.786Z",
"dateUpdated": "2025-10-16T18:13:47.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8681 (GCVE-0-2025-8681)
Vulnerability from cvelistv5 – Published: 2025-09-10 16:00 – Updated: 2025-09-11 14:42
VLAI?
Title
Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component
Summary
Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. Requires a high privileged user with a developer role.
Severity ?
5.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
7.1.0 , < Infinity 24.2.3
(custom)
|
Credits
Louis Sohier of ENGIE IT Offensive Cybersecurity Team
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8681",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T14:27:19.118508Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:42:58.353Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "Infinity 24.2.3",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Louis Sohier of ENGIE IT Offensive Cybersecurity Team"
}
],
"datePublic": "2025-09-10T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. \u0026nbsp;Requires a high privileged user with a developer role.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. \u00a0Requires a high privileged user with a developer role."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T16:00:15.062Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-g25-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2025-8681",
"datePublished": "2025-09-10T16:00:15.062Z",
"dateReserved": "2025-08-06T19:51:28.073Z",
"dateUpdated": "2025-09-11T14:42:58.353Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2161 (GCVE-0-2025-2161)
Vulnerability from cvelistv5 – Published: 2025-04-14 14:19 – Updated: 2025-04-14 14:32
VLAI?
Summary
Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup
Severity ?
7.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
7.2.1 , < 24.2.2
(custom)
|
Credits
Kacper Paluch
Maciej Włodarczyk
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2161",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T14:32:26.201504Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T14:32:37.786Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "24.2.2",
"status": "affected",
"version": "7.2.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Kacper Paluch"
},
{
"lang": "en",
"type": "reporter",
"value": "Maciej W\u0142odarczyk"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T14:19:37.824Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d25-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2025-2161",
"datePublished": "2025-04-14T14:19:37.824Z",
"dateReserved": "2025-03-10T13:29:54.031Z",
"dateUpdated": "2025-04-14T14:32:37.786Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2160 (GCVE-0-2025-2160)
Vulnerability from cvelistv5 – Published: 2025-04-14 14:16 – Updated: 2025-04-14 14:32
VLAI?
Summary
Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup
Severity ?
8.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.4.3 , < 24.2.2
(custom)
|
Credits
Kacper Paluch
Maciej Włodarczyk
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2160",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T14:31:54.490718Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T14:32:12.589Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "24.2.2",
"status": "affected",
"version": "8.4.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Kacper Paluch"
},
{
"lang": "en",
"type": "reporter",
"value": "Maciej W\u0142odarczyk"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T14:16:34.517Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d25-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2025-2160",
"datePublished": "2025-04-14T14:16:34.517Z",
"dateReserved": "2025-03-10T13:29:52.653Z",
"dateUpdated": "2025-04-14T14:32:12.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12211 (GCVE-0-2024-12211)
Vulnerability from cvelistv5 – Published: 2025-01-13 16:14 – Updated: 2025-08-26 19:58
VLAI?
Summary
Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.1 , < 24.2.1
(custom)
|
Credits
Jordan Lyons
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-12211",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-13T17:23:40.336491Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T19:58:08.100Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "24.2.1",
"status": "affected",
"version": "8.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Jordan Lyons"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T16:14:59.224Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-f24-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2024-12211",
"datePublished": "2025-01-13T16:14:59.224Z",
"dateReserved": "2024-12-04T20:50:58.613Z",
"dateUpdated": "2025-08-26T19:58:08.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10716 (GCVE-0-2024-10716)
Vulnerability from cvelistv5 – Published: 2024-12-05 15:28 – Updated: 2024-12-05 16:30
VLAI?
Summary
Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search.
Severity ?
5.9 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.1 , < 24.2.1
(custom)
|
Credits
Konrad Zbylut
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10716",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-05T16:30:51.236868Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T16:30:58.223Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "24.2.1",
"status": "affected",
"version": "8.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Konrad Zbylut"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T15:45:17.602Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-e24-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2024-10716",
"datePublished": "2024-12-05T15:28:29.644Z",
"dateReserved": "2024-11-01T22:15:22.698Z",
"dateUpdated": "2024-12-05T16:30:58.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10094 (GCVE-0-2024-10094)
Vulnerability from cvelistv5 – Published: 2024-11-20 14:45 – Updated: 2024-11-20 15:39
VLAI?
Summary
Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code
Severity ?
9.1 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
6.1 , < 24.1.2
(custom)
|
Credits
Daniel Wiseman from Commonwealth Bank of Australia
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pegasystems:pega_infinity:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "pega_infinity",
"vendor": "pegasystems",
"versions": [
{
"lessThan": "24.1.2",
"status": "affected",
"version": "6.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10094",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T15:37:50.121588Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T15:39:07.542Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "24.1.2",
"status": "affected",
"version": "6.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Daniel Wiseman from Commonwealth Bank of Australia"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code"
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T14:45:22.464Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-d24-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2024-10094",
"datePublished": "2024-11-20T14:45:22.464Z",
"dateReserved": "2024-10-17T16:14:24.687Z",
"dateUpdated": "2024-11-20T15:39:07.542Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6702 (GCVE-0-2024-6702)
Vulnerability from cvelistv5 – Published: 2024-09-12 14:25 – Updated: 2024-09-12 15:04
VLAI?
Summary
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage.
Severity ?
5.2 (Medium)
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.1 , < 24.1.3
(custom)
|
Credits
Andrea Solenne
Christian Romano
Lapo Mezzani
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6702",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T15:04:40.842270Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T15:04:50.576Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "24.1.3",
"status": "affected",
"version": "8.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Andrea Solenne"
},
{
"lang": "en",
"type": "reporter",
"value": "Christian Romano"
},
{
"lang": "en",
"type": "reporter",
"value": "Lapo Mezzani"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T14:29:06.562Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-c24-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2024-6702",
"datePublished": "2024-09-12T14:25:44.692Z",
"dateReserved": "2024-07-11T18:55:54.085Z",
"dateUpdated": "2024-09-12T15:04:50.576Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6701 (GCVE-0-2024-6701)
Vulnerability from cvelistv5 – Published: 2024-09-12 14:25 – Updated: 2024-09-12 15:05
VLAI?
Summary
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type.
Severity ?
5.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.1 , < 24.1.3
(custom)
|
Credits
Andrea Solenne
Christian Romano
Lapo Mezzani
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6701",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T15:05:41.616361Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T15:05:49.076Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "24.1.3",
"status": "affected",
"version": "8.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Andrea Solenne"
},
{
"lang": "en",
"type": "reporter",
"value": "Christian Romano"
},
{
"lang": "en",
"type": "reporter",
"value": "Lapo Mezzani"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T14:25:28.473Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-c24-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2024-6701",
"datePublished": "2024-09-12T14:25:28.473Z",
"dateReserved": "2024-07-11T18:55:52.822Z",
"dateUpdated": "2024-09-12T15:05:49.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6700 (GCVE-0-2024-6700)
Vulnerability from cvelistv5 – Published: 2024-09-12 14:24 – Updated: 2024-09-12 15:06
VLAI?
Summary
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with App name.
Severity ?
5.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.1 , < 24.1.3
(custom)
|
Credits
Andrea Solenne
Christian Romano
Lapo Mezzani
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6700",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T15:06:33.383533Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T15:06:40.532Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "24.1.3",
"status": "affected",
"version": "8.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Andrea Solenne"
},
{
"lang": "en",
"type": "reporter",
"value": "Christian Romano"
},
{
"lang": "en",
"type": "reporter",
"value": "Lapo Mezzani"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with App name.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with App name."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T14:24:08.681Z",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-c24-vulnerability-remediation-note"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2024-6700",
"datePublished": "2024-09-12T14:24:08.681Z",
"dateReserved": "2024-07-11T18:55:50.150Z",
"dateUpdated": "2024-09-12T15:06:40.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26465 (GCVE-0-2023-26465)
Vulnerability from cvelistv5 – Published: 2023-06-09 00:00 – Updated: 2025-01-06 19:24
VLAI?
Summary
Pega Platform versions 7.2 to 8.8.1 are affected by an XSS issue.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
7.2 , < unspecified
(custom)
Affected: unspecified , < 8.8.2 (custom) |
Credits
Maciej Piechota
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:53:54.564Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-a23-vulnerability-remediation-note"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26465",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T19:24:32.307051Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T19:24:44.238Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.2",
"versionType": "custom"
},
{
"lessThan": "8.8.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Maciej Piechota"
}
],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform versions 7.2 to 8.8.1 are affected by an XSS issue."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-09T00:00:00",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"url": "https://support.pega.com/support-doc/pega-security-advisory-a23-vulnerability-remediation-note"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2023-26465",
"datePublished": "2023-06-09T00:00:00",
"dateReserved": "2023-02-23T00:00:00",
"dateUpdated": "2025-01-06T19:24:44.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35656 (GCVE-0-2022-35656)
Vulnerability from cvelistv5 – Published: 2022-08-22 14:47 – Updated: 2024-08-03 09:36
VLAI?
Summary
Pega Platform from 8.3 to 8.7.3 vulnerability may allow authenticated security administrators to alter CSRF settings directly.
Severity ?
6.8 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.3 , < unspecified
(custom)
Affected: unspecified , < 8.7.3 (custom) |
Credits
Kane Gamble from Blackfoot UK
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:36:44.428Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.3",
"versionType": "custom"
},
{
"lessThan": "8.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kane Gamble from Blackfoot UK"
}
],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform from 8.3 to 8.7.3 vulnerability may allow authenticated security administrators to alter CSRF settings directly."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-23T15:44:49",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pega.com",
"ID": "CVE-2022-35656",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pega Infinity",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "8.3"
},
{
"version_affected": "\u003c",
"version_value": "8.7.3"
}
]
}
}
]
},
"vendor_name": "Pegasystems"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kane Gamble from Blackfoot UK"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pega Platform from 8.3 to 8.7.3 vulnerability may allow authenticated security administrators to alter CSRF settings directly."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "H",
"AC": "L",
"AV": "N",
"C": "H",
"I": "H",
"PR": "H",
"S": "U",
"UI": "R"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352: Cross-Site Request Forgery"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix",
"refsource": "MISC",
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2022-35656",
"datePublished": "2022-08-22T14:47:57",
"dateReserved": "2022-07-12T00:00:00",
"dateUpdated": "2024-08-03T09:36:44.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35655 (GCVE-0-2022-35655)
Vulnerability from cvelistv5 – Published: 2022-08-22 14:47 – Updated: 2024-08-03 09:36
VLAI?
Summary
Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Cross-Site Scripting
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
7.3 , < unspecified
(custom)
Affected: unspecified , < 8.7.3 (custom) |
Credits
Kane Gamble from Blackfoot UK
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:36:44.449Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.3",
"versionType": "custom"
},
{
"lessThan": "8.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kane Gamble from Blackfoot UK"
}
],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Cross-Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-23T15:44:33",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pega.com",
"ID": "CVE-2022-35655",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pega Infinity",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "7.3"
},
{
"version_affected": "\u003c",
"version_value": "8.7.3"
}
]
}
}
]
},
"vendor_name": "Pegasystems"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kane Gamble from Blackfoot UK"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "N",
"AC": "L",
"AV": "N",
"C": "L",
"I": "L",
"PR": "N",
"S": "C",
"UI": "R"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix",
"refsource": "MISC",
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2022-35655",
"datePublished": "2022-08-22T14:47:36",
"dateReserved": "2022-07-12T00:00:00",
"dateUpdated": "2024-08-03T09:36:44.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35654 (GCVE-0-2022-35654)
Vulnerability from cvelistv5 – Published: 2022-08-22 14:46 – Updated: 2024-08-03 09:36
VLAI?
Summary
Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Cross-Site Scripting
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pegasystems | Pega Infinity |
Affected:
8.5.4 , < unspecified
(custom)
Affected: unspecified , < 8.7.3 (custom) |
Credits
Kane Gamble from Blackfoot UK
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:36:44.414Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pega Infinity",
"vendor": "Pegasystems",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.5.4",
"versionType": "custom"
},
{
"lessThan": "8.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kane Gamble from Blackfoot UK"
}
],
"descriptions": [
{
"lang": "en",
"value": "Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Cross-Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-23T15:45:07",
"orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"shortName": "Pega"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pega.com",
"ID": "CVE-2022-35654",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pega Infinity",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "8.5.4"
},
{
"version_affected": "\u003c",
"version_value": "8.7.3"
}
]
}
}
]
},
"vendor_name": "Pegasystems"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kane Gamble from Blackfoot UK"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "N",
"AC": "L",
"AV": "N",
"C": "L",
"I": "L",
"PR": "N",
"S": "C",
"UI": "R"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix",
"refsource": "MISC",
"url": "https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
"assignerShortName": "Pega",
"cveId": "CVE-2022-35654",
"datePublished": "2022-08-22T14:46:53",
"dateReserved": "2022-07-12T00:00:00",
"dateUpdated": "2024-08-03T09:36:44.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}