SR-A15922 · Issue 231258
Support added for cleartext passwords in Snapstart
Resolved in Pega Version 7.2.1
When posting credentials from an external source, the code makes the assumption that the Password value is encoded and therefore it is decoded prior to being handed to the authentication activity in Pega. This is not always the case. If the Password value is passed as clear text the result in the activity is garbled. This creates problems when subsequent authentication is attempted to an external source. To support this handling, a new DASS 'authentication/Snapstart/pwddecode' has been added. When the setting is false, the password is not decoded in Snapstart cases and will necessitate a cleartext password.
SR-A19297 · Issue 237347
Added ability to set custom HTTP security headers
Resolved in Pega Version 7.2.1
XSS protections were interfering with the ability to set custom HTTP headers. To enable this, the system will use dynamic system settings from http/responseHeaders and add them to every HTTP response.
SR-A24508 · Issue 246983
Apache Struts updated for security
Resolved in Pega Version 7.2.1
Apache Struts has been updated to version 2.3.28 to protect against potential security vulnerabilities exposed when Dynamic Method Invocation is enabled, removing the ability for remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
SR-D31734 · Issue 515656
Cross-site scripting protection added for parameter page properties
Resolved in Pega Version 8.2.6
An Cross-site scripting vulnerability was seen with the Edge browser when run on visibility on client check was enabled with dynamic layouts and some properties were accessed from parameter page. Because run on visibility on client check is not required in this scenario, is has been removed and the values will be accessed from the server instead.