SR-A87992 · Issue 258338
OperatorID page handling corrected for authentication failures
Resolved in Pega Version 7.2.2
A valid authentication attempt with security policies and password lock-out feature enabled caused the 'OperatorID' to be present in all the threads, but when the user made an invalid attempt first and then a valid attempt, the 'OperatorID' page was visible only in 'STANDARD' thread and empty in other threads. This was an issue with the method used to update the failure count for authentication attempts, and has been corrected.
SR-A90144 · Issue 259472
Apache Struts JARS updated to improve security
Resolved in Pega Version 7.2.2
The Apache Struts JARs have been updated to resolve the following potential security vulnerabilities: The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
SR-A93015 · Issue 260000
Apache Struts JARS updated to improve security
Resolved in Pega Version 7.2.2
The Apache Struts JARs have been updated to resolve the following potential security vulnerabilities: The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
SR-A93024 · Issue 259995
Apache Struts JARS updated to improve security
Resolved in Pega Version 7.2.2
The Apache Struts JARs have been updated to resolve the following potential security vulnerabilities: The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
SR-A23603 · Issue 258204
ADP alert messages updated for security
Resolved in Pega Version 7.2.2
To improve security, ADP alert messages have been changed to include only data page name rather than the cache key used to identify the data page in the async service manager cache.
SR-A99040 · Issue 268520
Cleared email field in FieldMarketer campaign remains blank
Resolved in Pega Version 7.2.2
If the Email field of a FieldMarketer campaign was cleared and saved, closing and then reopening the session filled the email field with the Operator ID, which is not a valid email address. This was traced to Operator Email always defaulting to OperatorID if empty, and the activity has now been modified to not set the email field if empty.
SR-A91743 · Issue 258673
Security update for pxInitials control
Resolved in Pega Version 7.2.2
XSS (Cross Scripting Filter) has been added for potentially exploitable parameters in the pxInitials control.
INC-128571 · Issue 584752
Auto-process assignments cleanup improved
Resolved in Pega Version 8.6
After configuring auto process with an assignment at the flow end, the perform harness was being presented at the end of the assignment during runtime. This was the result of the newAssign page not being removed as part of the cleanup after auto-processing was done, causing the performB2BAssignmentCheck activity to believe the next assignment existed. This has been resolved by ensuring that auto-process assignments have the newAssignPage removed after the assignment is deleted.
INC-134113 · Issue 591542
Child case locking error message has correct parameter
Resolved in Pega Version 8.6
A locking error message was appearing without the case parameter, showing "Error Message : Could not lock the cover ; has it. Please wait and try again later." This was traced to the cover already being present, causing the step to open the Cover Object to fail. To resolve this, and update has been added to pass the Cover case ID to the field value.
INC-135335 · Issue 588511
Parent flow next step will take precedence over sub-process
Resolved in Pega Version 8.6
ABreadcrumb configured in the screen flow was not displaying at the last assignment when there were multiple embedded sub processes and the last assignment was called in a sub process. This was traced to the parent flow next step information not being passed due to the next step in the sub process being marked as an end shape. To resolve this, the pzFlowSteps7 html control has been updated to pass the parent flow's next step information in this situation.