INC-139300 · Issue 590273
Additional security for encrypted passwords
Resolved in Pega Version 8.3.5
Handling and cleanup has been updated for encrypted values to enhance security.
INC-141296 · Issue 592474
Log-access security updated
Resolved in Pega Version 8.3.5
Access control has been updated for Log-Usage class.
INC-139337 · Issue 595222
RefreshRequestors security update
Resolved in Pega Version 8.3.5
Security improvements have been added for RefreshRequestors.
INC-135349 · Issue 583004
Unit Test Ruleset rules do not count against Guardrails
Resolved in Pega Version 8.3.5
Although the documentation indicates that rules in a Unit Testing ruleset should not count against the guardrail score or unit test coverage, when branching a unit test ruleset, the branch did not carry the same unit test flag value as the source ruleset and the rulesets were counted as a result. This has been resolved with an update to ignore testrulesets in guardrail and pegaunit calculations.
INC-128923 · Issue 594162
Cross-site scripting security update
Resolved in Pega Version 8.3.5
Cross-site scripting protections have been added to OpenNoteDetails.
INC-143136 · Issue 604016
Cross-site scripting update
Resolved in Pega Version 8.3.5
Cross-site scripting protections have been updated in Designer Studio.
SR-D47018 · Issue 517032
Corrected parameter being encrypted during change portal configuration
Resolved in Pega Version 8.2.5
After configuring a changePortalLayout control using .pyDescription as property, trying to switch the portal was throwing a error page. The same configuration worked in earlier platform versions. This was traced to recent updates where the activity parameter ended up being encrypted along with the activity name, and has been resolved by removing the parameter from encryption input and adding it to encryption output.
SR-D5904 · Issue 511600
Discard changes dialog now showing for local actions
Resolved in Pega Version 8.2.5
After having modified case data without saving and clicking on a menu entry (left menu, search, ...), the system shows a dialog box to ask the user to confirm it is ok to discard changes. However, this confirmation dialog did not work with local actions, leading users to lose their work without any warning nor any way to step back. This was traced to a difference in the dirty form check, which was not present when launching a local action from a case. An enhancement has now been added to the handleMenuAction js function in pypega_ui_harnessactions.js which will perform a dirty form check with a prompt.
SR-D40662 · Issue 511397
OpenRuleAdvanced updated
Resolved in Pega Version 8.2.5
After upgrade, the Update Page and Append and Map to step in Data transform was generating the error "No Server connection while giving page name to Target and Source". This was traced to the OpenRuleAdvanced_OverLabel control, and investigation showed that a variable was not being resolved when invoking pzEncryptURLActionString. This has been resolved by updating OpenRuleAdvanced and reimplementing two parameters as well as moving the call of these variables to the beginning of the script. Security has also been improved by moving some of the encryption to SafeUrls.
SR-D42566 · Issue 512872
Security improvements for ApplicationInventory and Delete Class
Resolved in Pega Version 8.2.5
It was possible to call the activity "ApplicationInventory of class Rule-" by appending the activity name in the URL. To improve security, the ApplicationInventory activity and HTML rule have been removed from the system. In addition, it was possible to access the "delete class" screen and perform actions on top of it by directly appending the stream to the URL. This has been refactored so the screen will be presented only if the pzSystemOperationsAdministrator privilege is in the current access group.