SR-A87992 · Issue 258338
OperatorID page handling corrected for authentication failures
Resolved in Pega Version 7.2.2
A valid authentication attempt with security policies and password lock-out feature enabled caused the 'OperatorID' to be present in all the threads, but when the user made an invalid attempt first and then a valid attempt, the 'OperatorID' page was visible only in 'STANDARD' thread and empty in other threads. This was an issue with the method used to update the failure count for authentication attempts, and has been corrected.
SR-A90144 · Issue 259472
Apache Struts JARS updated to improve security
Resolved in Pega Version 7.2.2
The Apache Struts JARs have been updated to resolve the following potential security vulnerabilities: The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
SR-A93015 · Issue 260000
Apache Struts JARS updated to improve security
Resolved in Pega Version 7.2.2
The Apache Struts JARs have been updated to resolve the following potential security vulnerabilities: The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
SR-A93024 · Issue 259995
Apache Struts JARS updated to improve security
Resolved in Pega Version 7.2.2
The Apache Struts JARs have been updated to resolve the following potential security vulnerabilities: The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
SR-A23603 · Issue 258204
ADP alert messages updated for security
Resolved in Pega Version 7.2.2
To improve security, ADP alert messages have been changed to include only data page name rather than the cache key used to identify the data page in the async service manager cache.
SR-A99040 · Issue 268520
Cleared email field in FieldMarketer campaign remains blank
Resolved in Pega Version 7.2.2
If the Email field of a FieldMarketer campaign was cleared and saved, closing and then reopening the session filled the email field with the Operator ID, which is not a valid email address. This was traced to Operator Email always defaulting to OperatorID if empty, and the activity has now been modified to not set the email field if empty.
SR-A91743 · Issue 258673
Security update for pxInitials control
Resolved in Pega Version 7.2.2
XSS (Cross Scripting Filter) has been added for potentially exploitable parameters in the pxInitials control.
INC-
196961 · Issue 693473
Iteration method updated for SetRequiredSkillsCountColumn
Resolved in Pega Version 8.7.1
After update, database utilization spiked and did not drop. Investigation traced this to the use of Local.totalCount in pzSetRequiredSkillsCountColumn, which caused the iteration loop to run more times than necessary. This has been resolved by replacing Local.totalCount with Local.iterationsCount in the iteration.
INC-184040 · Issue 688256
Improved accessibility for Disclosable Documents/attach files/auto selection dropdowns
Resolved in Pega Version 8.7.1
When using Dragon for accessibility, issues were seen when trying to select different options in the dropdowns related to attaching multiple files. This was caused by the legacy grids being used not supporting this type of accessibility functionality, and has been resolved by updating pzAttachFileDDFileList to use an optimized table instead.
INC-186036 · Issue 685370
Field Level Audit updated to handle hierarchical properties
Resolved in Pega Version 8.7.1
Field Audit was not working for the first change of the data selected/provided for a field. The audit was only reflected after the second change was made. When the property involved a series of hierarchies, for example pageprop.pagelist(1).pageprop, the FLA objects will initially use deferred saves and the generated pzinskeys will be added to a savedFLAMap object. However, when the last pageprop was not eligible to save, all the deferred saves of earlier records were cancelled but the inskeys were not removed from the savedFLAMap object. Because of this, the parent FLA records were assumed to have been saved already when those saves were actually deferred. This was a missed use case for hierarchical properties, and has been resolved by adding an update to remove the inskeys from the savedFLAMap object so that in the subsequent property change the audit's FLA records for the parent properties (pageprop.pagelist(1)) will be saved again.