INC-139300 · Issue 590273
Additional security for encrypted passwords
Resolved in Pega Version 8.3.5
Handling and cleanup has been updated for encrypted values to enhance security.
INC-141296 · Issue 592474
Log-access security updated
Resolved in Pega Version 8.3.5
Access control has been updated for Log-Usage class.
INC-139337 · Issue 595222
RefreshRequestors security update
Resolved in Pega Version 8.3.5
Security improvements have been added for RefreshRequestors.
INC-135349 · Issue 583004
Unit Test Ruleset rules do not count against Guardrails
Resolved in Pega Version 8.3.5
Although the documentation indicates that rules in a Unit Testing ruleset should not count against the guardrail score or unit test coverage, when branching a unit test ruleset, the branch did not carry the same unit test flag value as the source ruleset and the rulesets were counted as a result. This has been resolved with an update to ignore testrulesets in guardrail and pegaunit calculations.
INC-128923 · Issue 594162
Cross-site scripting security update
Resolved in Pega Version 8.3.5
Cross-site scripting protections have been added to OpenNoteDetails.
INC-143136 · Issue 604016
Cross-site scripting update
Resolved in Pega Version 8.3.5
Cross-site scripting protections have been updated in Designer Studio.
SR-D40662 · Issue 511396
OpenRuleAdvanced updated
Resolved in Pega Version 8.3.2
After upgrade, the Update Page and Append and Map to step in Data transform was generating the error "No Server connection while giving page name to Target and Source". This was traced to the OpenRuleAdvanced_OverLabel control, and investigation showed that a variable was not being resolved when invoking pzEncryptURLActionString. This has been resolved by updating OpenRuleAdvanced and reimplementing two parameters as well as moving the call of these variables to the beginning of the script. Security has also been improved by moving some of the encryption to SafeUrls.
SR-D41636 · Issue 521731
Route to configuration in the approval flow accepts Specific User parameters
Resolved in Pega Version 8.3.2
Route to configuration in the approval flow was not accepting a parameter value/property value when select Specific User option from drop down was chosen. This was traced to unique ID change work done in the 8.2 release: the pzSimpleApproval section has two controls (DropDown for Participant & AutoComplete for Operator) configured on same property pyOperatorToAssign with "run visibility on client configuration), and when the control value was being changed in the AutoComplete control, the empty value of DropDown control was being posted to the clipboard. To correct this, the section Work-.pzSimpleApproval has been modified to remove performing run-visibility conditions at client side. Instead, the system will use the ".pyApproverType Changes" condition to refresh the wrapper DL which contains the routeTo type Operator/WB/Participant property controls.
SR-D42566 · Issue 512871
ApplicationInventory function deleted
Resolved in Pega Version 8.3.2
It was possible to call the activity "ApplicationInventory of class Rule-" by appending the activity name in the URL. To improve security, the ApplicationInventory activity and HTML rule have been removed from the system.
SR-D44942 · Issue 518352
Guided tour popups handling added for right-to-left language locales
Resolved in Pega Version 8.3.2
Guided Tour Popups were still appearing in the default EN location after switching to the ar_AR locale. This was traced to a missed use case for locales using a right-to-left mode such as Arabic or Hebrew, and has been resolved by updating the guided tour engine openPopOver function to account for the HTML tag dir attribute for value of "rtl". This will anchor the pop over to rightBottom / and display the arrow on the rightTop instead of leftBottom / leftTop.