INC-191371 · Issue 684481
Security update for GetAssignmentDetailsInternal errors
Resolved in Pega Version 8.8
Error handling for pzGetAssignmentDetailsInternal has been updated to return a 403 (forbidden) HTTP status code in place of potentially sensitive information when access is denied.
INC-213833 · Issue 710186
HarnessActions.handleMenuAction able to invoke Show-Harnes
Resolved in Pega Version 8.7.2
A 403 Forbidden issue occurred when Show-Harness was called from pega.ui.HarnessActions.handleMenuAction. This has been resolved by adding code to register 'Show-Harness' when it is called in this way.
INC-213833 · Issue 710187
HarnessActions.handleMenuAction able to invoke Show-Harness
Resolved in Pega Version 8.8
A 403 Forbidden issue occurred when Show-Harness was called from pega.ui.HarnessActions.handleMenuAction. This has been resolved by adding code to register 'Show-Harness' when it is called in this way.
INC-232127 · Issue 741807
View history export updated for BAC
Resolved in Pega Version 8.8
A 403 error was generated when trying to click Export to Excel in view history. Investigation traced this to the Export to Excel activity not being registered with basic access control, and this has been resolved by modifying the URL formation to pass the necessary parameters to register the activity in the menu harness.
INC-220411 · Issue 724062
Handling updated for BPF in FinishAssignment
Resolved in Pega Version 8.8
After update, executing Wrapup resulted in a 403 error and the operator being logged out of the system with a SECU0017 alert. This was traced to pzBFP being removed from the headers as part of the FinishAssignment activity, and has been resolved with an update to conditionally add/remove pzBFP by checking its value. If it is empty, it will not be added to the form.
INC-209298 · Issue 704141
Added security tokens to Worklist assignment error wizard
Resolved in Pega Version 8.6.4
After enabling CSRF, moving to 'Configure -> Case Management -> Tools -> Work Admin -> Worklist assignment errors' and then selecting a record and clicking on 'Delete' resulted in a '403 Forbidden' error. This has been resolved by adding CSRF and fingerprint tokens as part of the form data.
INC-190222 · Issue 675956
Emails load with PegaRULES:User4 access
Resolved in Pega Version 8.6.3
Operators with access groups under PegaRULES:User4 were unable to access emails. This was found to be a side effect of Access Control (BAC): if Production level was set to >=4 then the email body could not be seen in the Email Manager Portal and console reported a 403 Forbidden error. To resolve this, the open work by handle action has been added to the Allow List.
INC-190165 · Issue 676819
MSOFileTransferButtons control withdrawn
Resolved in Pega Version 8.6.3
After updating from Pega 8.2 to 8.6, attempting to modify migrated delegated rules resulted in a 403 error. This was traced to the Download/Upload activities configured to use the MSOFileTransferButtons control: BAC restrictions were introduced in Pega 8.5, and the MSOFileTransferButtons control is not compliant with these. The MSOFileTransferButtons control has now been withdrawn. The FilePath Control should be used in conjunction with pxParseExcelFile to upload and parse the Excel along with using the pxGenerateExcelFile activity for download.
INC-201739 · Issue 694505
Switch from Pega base64 utility to java.util.Base64.getEncoder
Resolved in Pega Version 8.6.3
An on-premises Web Application Firewall (WAF) was interpreting the characters "%0a" in the Pega auto-generated URL as an "HTTP Response Splitting" attack. As a result communications were intercepted and a 403-error screen was shown. In addition, the characters %250A were interpreted as LF (line feed) or \n in the refreshFor hash generation. To resolve this, an update has been made to use java.util.Base64.getEncoder().encodeToString instead of the Pega base64 utility.
INC-216358 · Issue 712230
Auto Complete working in Mobile Browser configuration
Resolved in Pega Version 8.6.4
Autocomplete was not working in the mobile browser when logged in as a user and configured with display mode:"in-a-table" and "display as full screen in mobile" disabled. Autocomplete results will always display in List mode in the mobile browser, but with the configuration "in a table" selected and "Display results full screen on phone" unchecked, pzGetACData (which gets called for List mode) was not registered and returned a 403 response. To handle this, the conditions file ActionAssembly.java has been removed so pzGetACData will always be registered.