INC-134808 · Issue 590713
Property check handling updated for Ajax requestor
Resolved in Pega Version 8.3.5
SECU0001 alerts were seen when submitting a case in the interaction portal. Logging indicated the errors were related to the 'pxRequestor.pyLatitude' and 'pxRequestor.pyLongitude' properties which are included in an Ajax request when they exist in the DOM and the 'pyGeolocationTrackingIsEnabled' when rule is true. The error was traced to a condition where a new thread request results in an unexpected property check that encounters a clipboard which doesn't have any pages created for that thread. To resolve this, the 'pxRequestor.pyLatitude' and 'pxRequestor.pyLongitude' properties have been added to an allow list to handle the unexpected properties check.
INC-140101 · Issue 597636
System will attempt to decrypt data ending in "+"
Resolved in Pega Version 8.3.5
Encrypting and decrypting one specific email address was not working properly when showing on the UI. It was possible to force a decryption using decryptproperty, but Pega generated an error. This was due to the actual encrypted value ending with '+', which conflicted with a system check that skips decryption if the encrypted property value ends with + . To resolve this, the system will attempt to decrypt the property even when encryptedText ends with + .
INC-137874 · Issue 599130
Cross-site scripting update for Dev Studio
Resolved in Pega Version 8.3.5
Cross Site Scripting (Cross-site scripting) protections have been added to Developer Studio.
INC-139705 · Issue 595169
Documentation update for Security Settings for DX API
Resolved in Pega Version 8.3.5
Information on the pyDXAPIEncodeValues application setting has been added to the Security Settings for DX API article under the Application settings sub-section. The Pega Platform version that supports the pyDXAPIEncodeValues application setting is mentioned in the Supported UI capabilities article.
INC-201713 · Issue 700221
Resolved SSO logout error
Resolved in Pega Version 8.6.5
After configuring prconfig/initialization/Urlencryption/default -> true and prconfig/initialization/SubmitObfuscatedURL/default -> required, logging in to any portal using SSO resulted in a 400 error when trying to log out. This has been resolved by adding a call to the encryption Rule-Utility-Function while calling logoff activity from 'pzSingleLogoutServiceRedirectV2'.
INC-202702 · Issue 713726
Ruleset creation process updated to maintain thread scope
Resolved in Pega Version 8.6.5
On creating a ruleset, the system generated the error "There has been an issue. Please consult your system administrator." If browser cookies and site settings were cleared and the browser was relaunched before logging in and creating a ruleset, the issue did not occur. Investigation showed that the Application page was at the Requestor scope for some of the threads due to handling in the ruleset creation process that removed the Application page and recreated it in the default scope of the thread with the latest state. To resolve this, the process for deleting the Application page and recreating it on the Requestor page has been removed.
INC-212265 · Issue 714015
at+jwt header type support added
Resolved in Pega Version 8.6.5
After upgrading from Pega 7 to Pega 8, using JWT validation in the REST service package with type "at+jwt" resulted in the JSON web token being rejected during signature verification with the error "header "typ" (type) "at+jwt" not allowed". Pega uses the third-party Nimbus jar to generate and verify JWT tokens, and this issue was traced to a difference in the versions of that jar: Pega 7.3 uses the nimbus-jose-jwt 5.1 version jar, while Pega 8.6+ uses the 8.20 jar version. Nimbus rejects at+jwt header types by default from the 8.0 jar version. To resolve this and improve backwards compatibility, at+jwt header type support has been added.
INC-216154 · Issue 718236
SMTPPort parameter will be passed to ForgotPasswordUtil
Resolved in Pega Version 8.6.5
When a user triggered the "Trouble Signing in" function, the SentEmailNotification activity connection was trying to use port 25 even if the SMTP Port was configured as 587 in the Email Account instance. This was due to the SMTP Port not being passed to the SentEmailNotification activity, causing a fallback to port 25 for non-SSL connections. In order to ensure SendEmailNotification uses a specified port if configured, pySMTPPort will be passed to ForgotPasswordUtil.java.
INC-217461 · Issue 714310
Key ID made optional for JWT
Resolved in Pega Version 8.6.5
After update, Connect-REST services were failing with a Admin_Security_Token.Action error. This was traced to kID (key ID) being mandated following previous work done to address an issue. To resolve this and better support backwards compatibility, the kID has been made optional in the JWT header.
INC-219208 · Issue 717217
Updated OAuth2 registration handling for modified application definition
Resolved in Pega Version 8.6.5
After update, attempting to resave an application definition after any modification resulted in the error "Application OAuth2 client registration is failed. Error Message: PegaApp_XXBase:Client already exists". This was due to pxCreateRecord being called to create the authentication profile: as it was already present, it failed to create a new one. This has been resolved by changing pxCreateRecord to Obj-Save in this process. This change will only be applied on newly created applications using the Data-Application-OAuth2ClientRegistration instance. The solution for already exported applications is to delete the corresponding OAuth2 client (PegaApp_<application id>) and resave the application to create a new client along with the needed metadata.