Support Article

Pega website vulnerable to cross-site scripting (XSS) attacks

SA-39237

Summary



User observed that the Pega website was vulnerable to reflected, or non-persistent, cross-site scripting (XSS) attacks.

Error Messages



Not Applicable

Steps to Reproduce



After logging into the application, inject a script in a REST service like below:

http://[Hostname]:[port]/prweb/api/<img src=x onerror=alert(document.cookie)>/anything/anything
http://[Hostname]:[port]/prweb/PRRestService/<img src=x onerror=alert(document.cookie)>/anything/anything
http://[Hostname]:[port]/prweb/PRRestService/api/<img src=x onerror=alert(document.cookie)>/anything/anything

Root Cause



A defect in Pegasystems’ code or rules.
Issue is observed only in Firefox browser as it is unable to block XSS when an attacker injects a script in a REST service.

Resolution



Apply HFix-34976.

Published June 10, 2017 - Updated July 27, 2017


0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.