INC-142145 · Issue 594917
Resolved 403 error for refresh of incognito window with CSRF
Resolved in Pega Version 8.6
Opening the simpleurl in a fresh incognito window opened the work object in a standard thread, but on refresh of the window a 403 error appeared and the screen went blank. This was a missed use case for the recently-added CSRF validation for non-ajax get requests which are redirected post requests. The CSRF token was being validated if pzPostData was in the request, but once the original request was complete the request map was cleared and the pzCtkn value in the request map was empty, resulting in the 403 error. To resolve this, the system will skip CSRF validation for a refresh scenario where the post data request map is empty after the original request, and validation has been added for the blank pyActivity in the request.
INC-191371 · Issue 684481
Security update for GetAssignmentDetailsInternal errors
Resolved in Pega Version 8.8
Error handling for pzGetAssignmentDetailsInternal has been updated to return a 403 (forbidden) HTTP status code in place of potentially sensitive information when access is denied.
INC-213833 · Issue 710186
HarnessActions.handleMenuAction able to invoke Show-Harnes
Resolved in Pega Version 8.7.2
A 403 Forbidden issue occurred when Show-Harness was called from pega.ui.HarnessActions.handleMenuAction. This has been resolved by adding code to register 'Show-Harness' when it is called in this way.
INC-213833 · Issue 710187
HarnessActions.handleMenuAction able to invoke Show-Harness
Resolved in Pega Version 8.8
A 403 Forbidden issue occurred when Show-Harness was called from pega.ui.HarnessActions.handleMenuAction. This has been resolved by adding code to register 'Show-Harness' when it is called in this way.
INC-202943 · Issue 700195
WorkLink URL generation updated for security
Resolved in Pega Version 8.5.6
When using a WorkLink in an email, clicking the link and entering credentials on the login screen resulted in a 403 unauthorized error. This was due to a WorkLink URL generation issue caused by the non-encryption of the RedirectAndRun activity call in the URL, and has been resolved.
INC-194408 · Issue 686451
Resolved security error for new portal tab with BAC
Resolved in Pega Version 8.5.6
After configuring Show-harness in a popup window, a 403 unauthenticated error was seen on the activity pzTransformandRun even though the activity was registered. This has been resolved by ensuring the proper portal name is passed to new tabs when BAC is used.
INC-232127 · Issue 741807
View history export updated for BAC
Resolved in Pega Version 8.8
A 403 error was generated when trying to click Export to Excel in view history. Investigation traced this to the Export to Excel activity not being registered with basic access control, and this has been resolved by modifying the URL formation to pass the necessary parameters to register the activity in the menu harness.
INC-220411 · Issue 724062
Handling updated for BPF in FinishAssignment
Resolved in Pega Version 8.8
After update, executing Wrapup resulted in a 403 error and the operator being logged out of the system with a SECU0017 alert. This was traced to pzBFP being removed from the headers as part of the FinishAssignment activity, and has been resolved with an update to conditionally add/remove pzBFP by checking its value. If it is empty, it will not be added to the form.
INC-209298 · Issue 704143
Added security tokens to Worklist assignment error wizard
Resolved in Pega Version 8.5.6
After enabling CSRF, moving to 'Configure -> Case Management -> Tools -> Work Admin -> Worklist assignment errors' and then selecting a record and clicking on 'Delete' resulted in a '403 Forbidden' error. This has been resolved by adding CSRF and fingerprint tokens as part of the form data.
INC-209298 · Issue 704141
Added security tokens to Worklist assignment error wizard
Resolved in Pega Version 8.6.4
After enabling CSRF, moving to 'Configure -> Case Management -> Tools -> Work Admin -> Worklist assignment errors' and then selecting a record and clicking on 'Delete' resulted in a '403 Forbidden' error. This has been resolved by adding CSRF and fingerprint tokens as part of the form data.