SR-B37957 · Issue 278510
XSS security added for date property error message
Resolved in Pega Version 7.3
A cross site scripting filter has been added for pyErrorMessage in order to improve security.
SR-B38317 · Issue 295056
Password expiry logic updated to use start of day
Resolved in Pega Version 7.3
Previously, the password expiry logic was based on a tight format of number of days+ timeStamp. This caused scenarios such as not prompting for a password reset when user logs in, but rather at the exact time stamp of the previous change even if that comes in the middle of work and throws the user out of the session. To avoid this behavior, the password expiry logic is now based on number of days logic with timeStamp defaulted to start of day (00.00) taking care of locale and getting difference in number of days.
SR-B38602 · Issue 296751
Login error message modified for increased security
Resolved in Pega Version 7.3
When an operator was configured to use External authentication and then attempted to login through other servlets, the error message included the operator ID. This could be used maliciously to discover valid IDs on the system, so in order to improve security, the process has been modified to remove the ID from the failure message. If authentication fails, the message "The information you entered was not recognized." will be displayed and the system will log an error message in the PegaRULES log file with the actual message "Error authenticating , : This user must use external authentication."
SR-B38602 · Issue 297290
Login error message modified for increased security
Resolved in Pega Version 7.3
When an operator was configured to use External authentication and then attempted to login through other servlets, the error message included the operator ID. This could be used maliciously to discover valid IDs on the system, so in order to improve security, the process has been modified to remove the ID from the failure message. If authentication fails, the message "The information you entered was not recognized." will be displayed and the system will log an error message in the PegaRULES log file with the actual message "Error authenticating , : This user must use external authentication."
SR-B38647 · Issue 297399
ServiceExport folder access restricted for guest users
Resolved in Pega Version 7.3
In order to increase data security, access to the 'ServiceExport' folder has been blocked for Guest users (Un-Authenticated users who have pre-atn cookie) on single-tenant sites. Once the user is logged in with valid credentials, the folder contents will be available. For backward compatibility the PRConfig setting 'serviceexportcontent/allowtoguestusers' has been added; if set to true then guest users will have access. The default is false.
SR-B39489 · Issue 290738
KeyStoreType of PKCS12 passes validation
Resolved in Pega Version 7.3
Keystore has an allowed file type of PKCS12, but an invalid type error was generated when trying to create a keystore file of this type. This has been corrected.
SR-B40059 · Issue 296152
IACAuthentication security improved
Resolved in Pega Version 7.3
The IACAuthentication activity assumed third party authentication and did not check for a password. In order to improve security, default password validation has been added to the shipped IACAuthentication activity.
SR-B42009 · Issue 304044
Authentication timeout smoothed for re-login
Resolved in Pega Version 7.3
If custom authentication was used with a stream specified to enter credentials upon authentication timeout, re-login failed after the timeout. This was traced to two issues: first, the custom configuration defaulted to using the out-of-the-box stream "Web-TimeOut", which expects the password to be in base64 encoded format and so attempts to base64 decode it. This caused an authentication failure. Second, when restarting with authentication instead of a timed-out request, the starting activity of operator was being executed and the portal was rendered unexpectedly. To resolve this, the object references needed for the successful resumption will be cloned when there is authentication timeout and used for redirection upon successful authentication.
SR-B43182 · Issue 301518
pzSUS Param properly URLEncoded
Resolved in Pega Version 7.3
The Tomcat 8+ server was rejecting DWA URLs due to characters such as {,} that it considered to be unsafe. These characters were introduced by pzSus key in the URL, and these values will now be encoded for the browser to resolve these issues.
SR-B44199 · Issue 300058
Fixed Access Control Policy in Assign- classes
Resolved in Pega Version 7.3
An error was generated when attempting to create an Access Control Policy in Assign- classes. This was due to a missing use-case, and has been corrected.