INC-139300 · Issue 590273
Additional security for encrypted passwords
Resolved in Pega Version 8.3.5
Handling and cleanup has been updated for encrypted values to enhance security.
INC-141296 · Issue 592474
Log-access security updated
Resolved in Pega Version 8.3.5
Access control has been updated for Log-Usage class.
INC-139337 · Issue 595222
RefreshRequestors security update
Resolved in Pega Version 8.3.5
Security improvements have been added for RefreshRequestors.
INC-135349 · Issue 583004
Unit Test Ruleset rules do not count against Guardrails
Resolved in Pega Version 8.3.5
Although the documentation indicates that rules in a Unit Testing ruleset should not count against the guardrail score or unit test coverage, when branching a unit test ruleset, the branch did not carry the same unit test flag value as the source ruleset and the rulesets were counted as a result. This has been resolved with an update to ignore testrulesets in guardrail and pegaunit calculations.
INC-128923 · Issue 594162
Cross-site scripting security update
Resolved in Pega Version 8.3.5
Cross-site scripting protections have been added to OpenNoteDetails.
INC-143136 · Issue 604016
Cross-site scripting update
Resolved in Pega Version 8.3.5
Cross-site scripting protections have been updated in Designer Studio.
INC-148154 · Issue 602921
Hot Fix Manager updated to use installation order for schema import
Resolved in Pega Version 8.3.5
Schema changes were not being imported during the hot fix manager DL import process. Investigation showed this was due to hotfixes in the DL being iterated over from newest to oldest, causing older hotfixes to replace the value added to a map by the newer. To resolve this, the system has been updated to use hotfix install order, which considers selected and dependent hotfixes, rather than ordering newest to oldest. This ensures that newer table representations will override older rather than the other way around.
SR-D79178 · Issue 543310
SameSite cookie setting added for Mashup support in Google Chrome v80+
Resolved in Pega Version 8.3.3
The Google Chrome browser version 80 and above now treats SameSite with a blank value as "Lax" by default, causing mashup scenarios to break. In order to compensate for this change, support has been added for setting SameSite=None in Cookie Settings; this value automatically includes the “secure” cookie flag, which enforces HTTPS for the Pega server and mashup. For mashups to work, SameSite should be set as None. Create a Dynamic system setting in the Pega-Engine RuleSet with the name “security/csrf/samesitecookieattributevalue” and the value "None" and restart the server. (The SameSite value "None" works only in secure HTTPS connections.)Note: The SameSite cookie may be set to None/Lax/Strict, based on the requirement. For cookie requirements other than mashup, it should be set as either Strict or Lax, depending upon your application.
SR-D72141 · Issue 542661
Approved flow rule image unlocked
Resolved in Pega Version 8.3.3
When the Approval Required check box was enabled for rulesets (i.e another person with access to this work queue should approve changes to the rules), a rule which was approved was unlocked and moved back to the original ruleset as expected, but the binary image associated with the flow rule remained locked and any other user other than the one who previously checked in the rule was denied access with a "check out failed" error. This locking error has been resolved by modifying the Rule-Obj-Flow!CleanUp activity to set Param.IgnoreInstanceLockedBy = true.
SR-D90544 · Issue 550371
Corrected row focus for deleting in App Studio case model
Resolved in Pega Version 8.3.3
When attempting to delete a row of properties from the 2nd page of the data model of a case type while using App Studio, clicking on the delete icon brought up a dialog box asking for confirmation for deletion but at the same time the screen went back to the first page of the data model instead of remaining on the second page. Because of this, clicking on the OK button to confirm the deletion caused a random property from the first page to be deleted instead of the targeted row of the second page as expected. This was due to the refresh being triggered immediately within overlay UI actions, and has been resolved by updating the first trash icon action set for the section pzExpressFieldActions to be a modal instead of an overlay when launching local action.