INC-182827 · Issue 691528
URL security updated
Resolved in Pega Version 8.6.4
Security has been updated for URL tampering defense and Rule Security Mode.
INC-209298 · Issue 704141
Added security tokens to Worklist assignment error wizard
Resolved in Pega Version 8.6.4
After enabling CSRF, moving to 'Configure -> Case Management -> Tools -> Work Admin -> Worklist assignment errors' and then selecting a record and clicking on 'Delete' resulted in a '403 Forbidden' error. This has been resolved by adding CSRF and fingerprint tokens as part of the form data.
INC-211426 · Issue 706061
UI and code changes to support Client Assertion in Open ID Connect
Resolved in Pega Version 8.6.4
In order to support private_key_jwt, an enhancement has been added which will pass the “Client ID” and “Client assertion” (in the form of a signed JWT) as part of the authorization code grant flow for an IDP-initiated SSO. The Authorization Server will then authenticate Pega (the client) to verify the signature and payload of assertion by retrieving the public key via Pega’s JWKS endpoint.
INC-215343 · Issue 711141
Security updates
Resolved in Pega Version 8.6.4
Security updates have been made relating to rulesets using allow lists, checks for Java code injections, SAML-based SSO code, and supporting SFTP as part of the validation in the pxValidateURL rule.
SR-B45056 · Issue 328736
XSS filtering added to getClassOfPageReference
Resolved in Pega Version 7.4
XSS filtering has been added to the URL produced when using getClassOfPageReference.
SR-B45056 · Issue 330368
XSS filtering added to getClassOfPageReference
Resolved in Pega Version 7.4
XSS filtering has been added to the URL produced when using getClassOfPageReference.
SR-B74553 · Issue 326255
Refined accessgrouplist checks
Resolved in Pega Version 7.4
Following a system modification that changed the property used to populate the access groups list to match that on clipboard (correct value), a previously unseen issue was uncovered where all the division and organization AGs were being added to the list. This has been addressed by updating the code to add the applications on division and organization only when there is no default selected at the operator. If there is some application selected as default at the operator, then the division or organization applications will not be added. If there is nothing selected at operator, then a check for division will be made, and if there is nothing selected at division then organization will be checked.
SR-B78496 · Issue 327358
Refined accessgrouplist checks
Resolved in Pega Version 7.4
Following a system modification that changed the property used to populate the accessgroups list to match that on clipboard (correct value), a previously unseen issue was uncovered where all the division and organization AGs were being added to the list. This has been addressed by updating the code to add the applications on division and organization only when there is no default selected at the operator. If there is some application selected as default at the operator, then the division or organization applications will not be added. If there is nothing selected at operator, then a check for division will be made, and if there is nothing selected at division then organization will be checked.
SR-B81365 · Issue 332518
Enhanced security for IAC gadget
Resolved in Pega Version 7.4
The code for the IAC gadget has been reworked to replace eval functions in order to enhance security.
SR-B81365 · Issue 331996
Enhanced security for IAC gadget
Resolved in Pega Version 7.4
The code for the IAC gadget has been reworked to replace eval functions in order to enhance security.