INC-139300 · Issue 590273
Additional security for encrypted passwords
Resolved in Pega Version 8.3.5
Handling and cleanup has been updated for encrypted values to enhance security.
INC-141296 · Issue 592474
Log-access security updated
Resolved in Pega Version 8.3.5
Access control has been updated for Log-Usage class.
INC-139337 · Issue 595222
RefreshRequestors security update
Resolved in Pega Version 8.3.5
Security improvements have been added for RefreshRequestors.
INC-135349 · Issue 583004
Unit Test Ruleset rules do not count against Guardrails
Resolved in Pega Version 8.3.5
Although the documentation indicates that rules in a Unit Testing ruleset should not count against the guardrail score or unit test coverage, when branching a unit test ruleset, the branch did not carry the same unit test flag value as the source ruleset and the rulesets were counted as a result. This has been resolved with an update to ignore testrulesets in guardrail and pegaunit calculations.
INC-128923 · Issue 594162
Cross-site scripting security update
Resolved in Pega Version 8.3.5
Cross-site scripting protections have been added to OpenNoteDetails.
INC-143136 · Issue 604016
Cross-site scripting update
Resolved in Pega Version 8.3.5
Cross-site scripting protections have been updated in Designer Studio.
INC-127981 · Issue 562998
Rulesets removed from direct invocation ability
Resolved in Pega Version 8.2.7
The following rules have been updated such that they are no longer available to be invoked directly by a client or service: Clipboard_ExecuteActivity, getClassInstances, getOperatorIDs, and GetXMLRuleData. In addition, pzAutoGenClipboard_ExecuteActivity will now require authentication.
SR-D79831 · Issue 562800
Access Deny working as expected for Offers
Resolved in Pega Version 8.2.7
It was possible to Save-As an offer in PegaMKT-Work-Offer after encountering an access deny rule. The record was not created in Dev Studio, however, and an expected denial of access was not registered at runtime. This was due to Access deny rules not being considered as a part of validation, and has been resolved by adding the necessary permission validation to the new harness that will produce the error message informing the user that they are missing a permission. Additional work has also been done to pass the 'pzKeepPageMessages' parameter as true so that page level error messages are correctly displayed.
SR-D87673 · Issue 548627
PegaCESvcsIntegrator security updated
Resolved in Pega Version 8.2.7
Security updates have been made which now require authentication to consume the services from the PegaCESvcsIntegrator package.
SR-D88451 · Issue 550848
Testcases are not available for 'access when' rules
Resolved in Pega Version 8.2.7
Attempting to create test cases for access when rules resulted in guardrail warnings about the need to create a test case. Because Test Cases are not available for the Access When rule type as per Pega expected behavior, the guardrail warnings are not valid and have been removed.