INC-199303 · Issue 690629
Guided Tour working from Actions menu
Resolved in Pega Version 8.7
After updating from Pega 8.4 to Pega 8.5, "Manage a Guided Tour" was no longer working under a local action when called from the Actions menu on a work object. An unspecified error message appeared in the tracer. Investigation showed there was a null pointer error caused by the menu being invoked on an invalid page, and this was traced to updated authentication requirements: registration at the portal is not reliable as it is thread-scoped and run only once. The thread name is not guaranteed to stay the same so subsequent invocations of the tour activities failed. This has been resolved by modifying the call registration function to handle the security issues related to the generation of the menu path.
INC-200299 · Issue 689561
LookUpList correctly executes during SSO login with model operator
Resolved in Pega Version 8.7
After configuring SSO to create operators on fly using a model operator, a new user logging in for the very first time had their operator ID created using the model operator, but after upgrade new users logging in to the system received the error "Only authenticated client may start this activity: RULE-OBJ-ACTIVITY @BASECLASS LOOKUPLIST". This was due to the methods used for additional security on the activity @baseclass LookUpList which allows it to only be run by authenticated users, and has been resolved.
INC-204897 · Issue 695409
Log4j file security vulnerability issue addressed
Resolved in Pega Version 8.7
A zero-day vulnerability was identified in the Apache Log4j logging software which could potentially allow malicious actors to take control of organizational networks. Pega has immediately and thoroughly addressed this issue. More information can be found at https://docs.pega.com/security-advisory/security-advisory-apache-log4j-zero-day-vulnerability .
INC-173068 · Issue 654066
HTML tags escaped in Audit History field values
Resolved in Pega Version 8.5.6
The case narrative section was showing case statuses with encoded special characters such as % or ( ), resulting in entries such as "Status changed to Complete &# 40;approved& #41; !@##$: %^& amp;*&# 40;&# 41;_&# 43;.</div>". This has been resolved by updating the PyMemo field from type Text Input to DisplayAsLiteral for case narrative, which matches the setting for case history.
INC-178650 · Issue 673547
Cross-site scripting protections updated
Resolved in Pega Version 8.5.6
Cross-site scripting protections have been updated around the DisplayAttachment function.
INC-180275 · Issue 666454
Collaboration control hidden if data type is delegated
Resolved in Pega Version 8.5.6
When collaborating using a customized CaseManager portal with some delegated data types, the admin user refreshing the Data Type view changed the collaborator's view from the portal to show the Data Type tabs, allowing the second person to open rules (properties, Data Pages, etc) and see the configuration even though they could not make any changes. This has been resolved by updating pzDataTypeDelegated to display the collaboration control only if pzDelegation is false.
INC-183650 · Issue 678310
Corrected doubled tag removal
Resolved in Pega Version 8.5.6
After adding two tags for a Service case, attempting to delete the first tag resulted in the second tag also being removed. When three tags were present in the case, deleting the first tag caused the first and second to be deleted. Investigation showed this was caused by the run activity pyRemoveTagLink being called twice in run time, and has been resolved by updating the run activity.
INC-183751 · Issue 665891
Improved text contrast for Attach Content button
Resolved in Pega Version 8.5.6
In order to improve accessibility, the contrast between text and background colors has been increased for the Attach Content button by updating pzMultiDragDropControlStandard to change the color from gray to black in function pzInitHTML5DD().
INC-183822 · Issue 667500
Filename with non-ASCII characters normalized for Apple Safari upload
Resolved in Pega Version 8.5.6
When using the Apple Safari browser, attaching a file name that contained Japanese characters resulted in an "attachment doesn't exist" error message when trying to open it again. This was caused by the special characters in the FileName for the Data/Query string not being encoded during the file upload, and has been resolved by updating the UploadFileToADocument activity to normalize the FileName if the Safari Browser is being used.
INC-183947 · Issue 673732
Query split added to handle Oracle expressions limit
Resolved in Pega Version 8.5.6
The PXCHECKFLOWDEPENDENCIES activity was throwing the Oracle error message "ORA-01795: maximum number of expressions in a list is 1000" when a case had a very large number of sub-cases, causing a failure in trying to submit additional child cases which sent them into the broken process. This has been resolved by updating the pxCheckFlowDependencies rule to break down the query parameter into batches of 999 so they can be handled by Oracle.