SR-A87992 · Issue 258338
OperatorID page handling corrected for authentication failures
Resolved in Pega Version 7.2.2
A valid authentication attempt with security policies and password lock-out feature enabled caused the 'OperatorID' to be present in all the threads, but when the user made an invalid attempt first and then a valid attempt, the 'OperatorID' page was visible only in 'STANDARD' thread and empty in other threads. This was an issue with the method used to update the failure count for authentication attempts, and has been corrected.
SR-A90144 · Issue 259472
Apache Struts JARS updated to improve security
Resolved in Pega Version 7.2.2
The Apache Struts JARs have been updated to resolve the following potential security vulnerabilities: The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
SR-A93015 · Issue 260000
Apache Struts JARS updated to improve security
Resolved in Pega Version 7.2.2
The Apache Struts JARs have been updated to resolve the following potential security vulnerabilities: The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
SR-A93024 · Issue 259995
Apache Struts JARS updated to improve security
Resolved in Pega Version 7.2.2
The Apache Struts JARs have been updated to resolve the following potential security vulnerabilities: The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
SR-A23603 · Issue 258204
ADP alert messages updated for security
Resolved in Pega Version 7.2.2
To improve security, ADP alert messages have been changed to include only data page name rather than the cache key used to identify the data page in the async service manager cache.
SR-A89212 · Issue 257059
WKWebview updated
Resolved in Pega Version 7.2.2
A partially successful workaround was inserted into the previous version to fix an issue with Apple's WKWebview where an iframe on a case screen was preventing the native Sidebar from working. However, some JavaScript confirm functions with property type Data continued to generate occasional errors. WKWebview has now been updated to resolve the issues, the workaround has been removed, and all confirm functions should be working as expected.
SR-A89212 · Issue 257378
WKWebview updated
Resolved in Pega Version 7.2.2
A partially successful workaround was inserted into the previous version to fix an issue with Apple's WKWebview where an iframe on a case screen was preventing the native Sidebar from working. However, some JavaScript confirm functions with property type Data continued to generate occasional errors. WKWebview has now been updated to resolve the issues, the workaround has been removed, and all confirm functions should be working as expected.
SR-A90165 · Issue 258244
WKWebview updated
Resolved in Pega Version 7.2.2
A partially successful workaround was inserted into the previous version to fix an issue with Apple's WKWebview where an iframe on a case screen was preventing the native Sidebar from working. However, some JavaScript confirm functions with property type Data continued to generate occasional errors. WKWebview has now been updated to resolve the issues, the workaround has been removed, and all confirm functions should be working as expected.
SR-A80668 · Issue 256820
DateTime Accessibility improved for iOS
Resolved in Pega Version 7.2.2
Accessibility has been improved for the DateTime control in iOS, allowing Input, Calendar image, Show Previous Month, Show Previous Year, Show Next Month, and Show Next Year buttons to be read out correctly.
SR-A93531 · Issue 266554
Corrected mobile login issues after sync
Resolved in Pega Version 7.2.2
After forcing a full sync, users already logged into the app (i.e. packaged data is present in client) observed login issues thereafter while new users did not. This has been corrected by updating the logic in the pzpega_ui_doc_HCLoadManager getOfflineStorageCount API call.