SR-B37427 · Issue 293709
Security upgrade for Struts2
Resolved in Pega Version 7.3
To improve security, Apache Struts2 has been upgraded to version 2.3.32 .
SR-B37598 · Issue 293711
Security upgrade for Struts2
Resolved in Pega Version 7.3
To improve security, Apache Struts2 has been upgraded to version 2.3.32 .
SR-B37780 · Issue 293894
Security upgrade for Struts2
Resolved in Pega Version 7.3
To improve security, Apache Struts2 has been upgraded to version 2.3.32 .
SR-B37780 · Issue 293899
Security upgrade for Struts2
Resolved in Pega Version 7.3
To improve security, Apache Struts2 has been upgraded to version 2.3.32 .
SR-B37780 · Issue 294148
Security upgrade for Struts2
Resolved in Pega Version 7.3
To improve security, Apache Struts2 has been upgraded to version 2.3.32 .
SR-B37915 · Issue 294722
Security upgrade for Struts2
Resolved in Pega Version 7.3
To improve security, Apache Struts2 has been upgraded to version 2.3.32 .
SR-B37957 · Issue 303574
XSS security added for date property error message
Resolved in Pega Version 7.3
A cross site scripting filter has been added for pyErrorMessage in order to improve security.
SR-B37957 · Issue 278510
XSS security added for date property error message
Resolved in Pega Version 7.3
A cross site scripting filter has been added for pyErrorMessage in order to improve security.
SR-B38317 · Issue 295056
Password expiry logic updated to use start of day
Resolved in Pega Version 7.3
Previously, the password expiry logic was based on a tight format of number of days+ timeStamp. This caused scenarios such as not prompting for a password reset when user logs in, but rather at the exact time stamp of the previous change even if that comes in the middle of work and throws the user out of the session. To avoid this behavior, the password expiry logic is now based on number of days logic with timeStamp defaulted to start of day (00.00) taking care of locale and getting difference in number of days.
SR-B38602 · Issue 296751
Login error message modified for increased security
Resolved in Pega Version 7.3
When an operator was configured to use External authentication and then attempted to login through other servlets, the error message included the operator ID. This could be used maliciously to discover valid IDs on the system, so in order to improve security, the process has been modified to remove the ID from the failure message. If authentication fails, the message "The information you entered was not recognized." will be displayed and the system will log an error message in the PegaRULES log file with the actual message "Error authenticating , : This user must use external authentication."