INC-191371 · Issue 684481
Security update for GetAssignmentDetailsInternal errors
Resolved in Pega Version 8.8
Error handling for pzGetAssignmentDetailsInternal has been updated to return a 403 (forbidden) HTTP status code in place of potentially sensitive information when access is denied.
INC-213833 · Issue 710186
HarnessActions.handleMenuAction able to invoke Show-Harnes
Resolved in Pega Version 8.7.2
A 403 Forbidden issue occurred when Show-Harness was called from pega.ui.HarnessActions.handleMenuAction. This has been resolved by adding code to register 'Show-Harness' when it is called in this way.
INC-213833 · Issue 710187
HarnessActions.handleMenuAction able to invoke Show-Harness
Resolved in Pega Version 8.8
A 403 Forbidden issue occurred when Show-Harness was called from pega.ui.HarnessActions.handleMenuAction. This has been resolved by adding code to register 'Show-Harness' when it is called in this way.
INC-202943 · Issue 700195
WorkLink URL generation updated for security
Resolved in Pega Version 8.5.6
When using a WorkLink in an email, clicking the link and entering credentials on the login screen resulted in a 403 unauthorized error. This was due to a WorkLink URL generation issue caused by the non-encryption of the RedirectAndRun activity call in the URL, and has been resolved.
INC-194408 · Issue 686451
Resolved security error for new portal tab with BAC
Resolved in Pega Version 8.5.6
After configuring Show-harness in a popup window, a 403 unauthenticated error was seen on the activity pzTransformandRun even though the activity was registered. This has been resolved by ensuring the proper portal name is passed to new tabs when BAC is used.
INC-232127 · Issue 741807
View history export updated for BAC
Resolved in Pega Version 8.8
A 403 error was generated when trying to click Export to Excel in view history. Investigation traced this to the Export to Excel activity not being registered with basic access control, and this has been resolved by modifying the URL formation to pass the necessary parameters to register the activity in the menu harness.
INC-220411 · Issue 724062
Handling updated for BPF in FinishAssignment
Resolved in Pega Version 8.8
After update, executing Wrapup resulted in a 403 error and the operator being logged out of the system with a SECU0017 alert. This was traced to pzBFP being removed from the headers as part of the FinishAssignment activity, and has been resolved with an update to conditionally add/remove pzBFP by checking its value. If it is empty, it will not be added to the form.
INC-209298 · Issue 704143
Added security tokens to Worklist assignment error wizard
Resolved in Pega Version 8.5.6
After enabling CSRF, moving to 'Configure -> Case Management -> Tools -> Work Admin -> Worklist assignment errors' and then selecting a record and clicking on 'Delete' resulted in a '403 Forbidden' error. This has been resolved by adding CSRF and fingerprint tokens as part of the form data.
INC-209298 · Issue 704141
Added security tokens to Worklist assignment error wizard
Resolved in Pega Version 8.6.4
After enabling CSRF, moving to 'Configure -> Case Management -> Tools -> Work Admin -> Worklist assignment errors' and then selecting a record and clicking on 'Delete' resulted in a '403 Forbidden' error. This has been resolved by adding CSRF and fingerprint tokens as part of the form data.
INC-190222 · Issue 675956
Emails load with PegaRULES:User4 access
Resolved in Pega Version 8.6.3
Operators with access groups under PegaRULES:User4 were unable to access emails. This was found to be a side effect of Access Control (BAC): if Production level was set to >=4 then the email body could not be seen in the Email Manager Portal and console reported a 403 Forbidden error. To resolve this, the open work by handle action has been added to the Allow List.