SR-A16543 · Issue 235300
Resolved Interaction Portal unexpected close
Resolved in Pega Version 7.2.1
In Google Chrome, launching a secondary portal and encountering a Content Security Policy issue relating to an image caused the secondary portal to automatically close and the developer portal to be refreshed. This was an issue with a mismatch in the pyrequestor token, and has been corrected.
SR-A16960 · Issue 233576
Predictive Analytics rulesets excluded from RSA
Resolved in Pega Version 7.2.1
The Pega-provided Predictive Analytics rulesets were being incorrectly being checked and flagged by the Rule Security Analyzer. The PAD rulesets have now been properly excluded from the RSA check, and further analysis was done to find and fix other RSA flags that should have been excluded.
SR-A19297 · Issue 237347
Added ability to set custom HTTP security headers
Resolved in Pega Version 7.2.1
XSS protections were interfering with the ability to set custom HTTP headers. To enable this, the system will use dynamic system settings from http/responseHeaders and add them to every HTTP response.
SR-A21378 · Issue 245075
Resolved Interaction Portal unexpected close
Resolved in Pega Version 7.2.1
In Google Chrome, launching a secondary portal and encountering a Content Security Policy issue relating to an image caused the secondary portal to automatically close and the developer portal to be refreshed. This was an issue with a mismatch in the pyrequestor token, and has been corrected.
SR-A22198 · Issue 244738
Empty access groups handling added for organizational instance
Resolved in Pega Version 7.2.1
If an unauthenticated access group was configured in the organizational instance, errors occurred because the organization instance access groups are only considered for session authorization once the user is authenticated. This will now be handled through a validate activity change in the Data-admin-organization to honor the emptiness of access groups
SR-A24508 · Issue 246983
Apache Struts updated for security
Resolved in Pega Version 7.2.1
Apache Struts has been updated to version 2.3.28 to protect against potential security vulnerabilities exposed when Dynamic Method Invocation is enabled, removing the ability for remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
INC-199790 · Issue 700646
GetAllEmailWork temp page renamed to avoid conflict
Resolved in Pega Version 8.6.4
The default Email manager portal was not displaying new email triage cases. Investigation showed that because the GetAllEmailWork and CaseBreadCrumbPopulate activities were using a common name for the clipboard page "TempPage", when CaseBreadCrumbPopulate removed the TempPage clipboard page as one of its steps a null pointer exception occurred for GetAllEmailWork. To resolve this, an update has been made to rename "TempPage" to "TempPageET" for GetAllEmailWork so the names will not conflict.
INC-211417 · Issue 711611
Updated URL construction for inline images for better performance
Resolved in Pega Version 8.6.4
System slowness was seen, and inline images were not getting displayed when the case was opened. This has been resolved by modifying pyExtractHtmlFromAttachment to ensure the image source URL is built in a consistent way whether or not there is a cache to call from.
INC-212549 · Issue 706074
HTML attachments conditionally shown in email listener cases
Resolved in Pega Version 8.6.4
When Rich text/html (non-plain text) emails were ingested in email, the original mail was not getting added to the case. Investigation showed that the pzCreateTriageWork activity had an explicit delete step to remove any attachment that started with 'email-content'. Since the HTML attachment name starts with 'email-content', it was deleted in above activity. This has been resolved by adding an update to conditionally show email-content.html.
INC-214294 · Issue 710826
PopulateEmailClientWorkFilter correctly resolves field value
Resolved in Pega Version 8.6.4
The first item in the Email manager queue selection dropdown was 'DefaultWorklist', instead of 'Default worklist' or other formatted text. Investigation showed the New Page was not created for the temp results in pzPopulateEmailClientWorkFilter Activity, preventing it from resolving the customized/available field values, and this has been resolved.