SR-A21636 · Issue 240162
Fixed auto-complete use in iPhone Opportunity creation
Resolved in Pega Version 7.2.1
Issues were seen when selecting items using Auto-Complete on an iPhone while creating an Opportunity. This was due to a positioning error in the logic, and has been fixed.
SR-A22198 · Issue 244738
Empty access groups handling added for organizational instance
Resolved in Pega Version 7.2.1
If an unauthenticated access group was configured in the organizational instance, errors occurred because the organization instance access groups are only considered for session authorization once the user is authenticated. This will now be handled through a validate activity change in the Data-admin-organization to honor the emptiness of access groups
SR-A24508 · Issue 246983
Apache Struts updated for security
Resolved in Pega Version 7.2.1
Apache Struts has been updated to version 2.3.28 to protect against potential security vulnerabilities exposed when Dynamic Method Invocation is enabled, removing the ability for remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
SR-A24787 · Issue 247535
SA mobile app hang fixed
Resolved in Pega Version 7.2.1
Hitting the 'back' button in the SA mobile app before a work-object fully loaded the master-details caused the app to hang. This was traced to an issue with the thread switching that caused a JS exception, and has been resolved.
SR-A24787 · Issue 245849
SA mobile app hang fixed
Resolved in Pega Version 7.2.1
Hitting the 'back' button in the SA mobile app before a work-object fully loaded the master-details caused the app to hang. This was traced to an issue with the thread switching that caused a JS exception, and has been resolved.
SR-A87291 · Issue 255631
JDBC password encryption check logic updated
Resolved in Pega Version 7.2.2
When using a Database instance with a JDBC connection URL, the specified password is encrypted. An issue was occurring where multiple saves of the instance caused the encrypted password to be encrypted again, causing the agent to lose access to the DB due to an authentication failure. The problem was traced to a logic flaw in the method used to check whether the password was already encrypted, and has been fixed.
SR-A91802 · Issue 260001
Apache Struts JARS updated to improve security
Resolved in Pega Version 7.2.2
The Apache Struts JARs have been updated to resolve the following potential security vulnerabilities: The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
SR-A76763 · Issue 252485
Ensured Dirty pop up appears for mobile log off
Resolved in Pega Version 7.2.2
While closing a dirty form on a mobile device, the warning popup was not shown while logging off. A check has been added to control_actions so logging out will return 'if dirty' to resolve this.
SR-A87698 · Issue 256038
SQL info stripped from user-view DB2 error codes
Resolved in Pega Version 7.2.2
A security audit showed that entering bogus values for pyActivity in a URL resulted in actual DB@ error codes provided to user in the exception response. In order to prevent any vulnerability, the message shown to the http client will mask SQLCodes.
SR-A87698 · Issue 260087
SQL info stripped from user-view DB2 error codes
Resolved in Pega Version 7.2.2
A security audit showed that entering bogus values for pyActivity in a URL resulted in actual DB@ error codes provided to user in the exception response. This was not an issue with Oracle. In order to prevent any vulnerability, the message shown to the http client will mask SQLCodes.