INC-133450 · Issue 585994
Login button hidden after click
Resolved in Pega Version 8.3.5
When the login button was clicked fast several times, intermittently the login would fail with the blue screen and "Security violation attempting to access requestor" error in the logs. To resolve this, on click of the login button will be hidden to prevent firing multiple login requests.
INC-144591 · Issue 601614
Oauth and beanutils jars upgraded
Resolved in Pega Version 8.3.5
The third party Oauth2 jars and commons-beanutils jar have been updated to the latest versions.
INC-134808 · Issue 590713
Property check handling updated for Ajax requestor
Resolved in Pega Version 8.3.5
SECU0001 alerts were seen when submitting a case in the interaction portal. Logging indicated the errors were related to the 'pxRequestor.pyLatitude' and 'pxRequestor.pyLongitude' properties which are included in an Ajax request when they exist in the DOM and the 'pyGeolocationTrackingIsEnabled' when rule is true. The error was traced to a condition where a new thread request results in an unexpected property check that encounters a clipboard which doesn't have any pages created for that thread. To resolve this, the 'pxRequestor.pyLatitude' and 'pxRequestor.pyLongitude' properties have been added to an allow list to handle the unexpected properties check.
INC-140101 · Issue 597636
System will attempt to decrypt data ending in "+"
Resolved in Pega Version 8.3.5
Encrypting and decrypting one specific email address was not working properly when showing on the UI. It was possible to force a decryption using decryptproperty, but Pega generated an error. This was due to the actual encrypted value ending with '+', which conflicted with a system check that skips decryption if the encrypted property value ends with + . To resolve this, the system will attempt to decrypt the property even when encryptedText ends with + .
INC-137874 · Issue 599130
Cross-site scripting update for Dev Studio
Resolved in Pega Version 8.3.5
Cross Site Scripting (Cross-site scripting) protections have been added to Developer Studio.
INC-139705 · Issue 595169
Documentation update for Security Settings for DX API
Resolved in Pega Version 8.3.5
Information on the pyDXAPIEncodeValues application setting has been added to the Security Settings for DX API article under the Application settings sub-section. The Pega Platform version that supports the pyDXAPIEncodeValues application setting is mentioned in the Supported UI capabilities article.
INC-118838 · Issue 560691
OKTA receives parameters on logout
Resolved in Pega Version 8.2.7
When using an OIDC logout endpoint with a parameter set as a data page value, the data page retrieved the ID Token from the DB, but when logout was clicked the datapage name was being displayed in the browser instead of the IDToken. To resolve this, code has been added to support sending ID token parameters for logoff endpoint for OKTA logoff using OpeniD connect.
SR-D95148 · Issue 557483
Port validation updated for redirect URI
Resolved in Pega Version 8.2.7
When an offline app for windows client was generated, trying to login via SSO resulted in the error "invalid redirect_uri". This was traced to the system validating the whole loopback redirection URL, e.g. "http://127.0.0.1:1234/redirection", including the port number. To enhance flexibility, an update has been made so that the port number will not be validated, allowing the client to establish it based on availability at the moment of the request to the authorization service. NOTE: As a best practice, a loopback URL should not be configured as a redirect URI. If a loopback URL is configured, then at run time the port number will not be validated, and the client application can use any available port on the system including ports that may not be intended for use.