Shodan
Vulnerabilities
Vulnerable Software
Pega:  Security Vulnerabilities
CVE-2021-27651
In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.
CVSS Score
9.8
EPSS Score
0.921
Published
2021-04-29
CVE-2020-15390
pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper access control vulnerability via =GetWebInfo.
CVSS Score
9.8
EPSS Score
0.004
Published
2021-04-12
CVE-2021-27653
Misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 - 8.5.x could lead to unintended data exposure.
CVSS Score
6.6
EPSS Score
0.003
Published
2021-04-01
CVE-2020-23957
Pega Platform through 8.4.x is affected by Cross Site Scripting (XSS) via the ConnectionID parameter, as demonstrated by a pyActivity=Data-TRACERSettings.pzStartTracerSession request to a PRAuth URI.
CVSS Score
6.1
EPSS Score
0.002
Published
2020-12-15
CVE-2020-24353
Pega Platform before 8.4.0 has a XSS issue via stream rule parameters used in the request header.
CVSS Score
6.1
EPSS Score
0.003
Published
2020-11-09
CVE-2019-16374
Pega Platform 8.2.1 allows LDAP injection because a username can contain a * character and can be of unlimited length. An attacker can specify four characters of a username, followed by the * character, to bypass access control.
CVSS Score
9.8
EPSS Score
0.012
Published
2020-08-13
CVE-2020-8775
Pega Platform before version 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability in the comment tags.
CVSS Score
8.9
EPSS Score
0.005
Published
2020-04-29
CVE-2020-8773
The Richtext Editor in Pega Platform before 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability.
CVSS Score
8.9
EPSS Score
0.005
Published
2020-04-29
CVE-2020-8774
Pega Platform before version 8.2.6 is affected by a Reflected Cross-Site Scripting vulnerability in the "ActionStringID" function.
CVSS Score
8.8
EPSS Score
0.005
Published
2020-04-29
CVE-2019-16386
PEGA Platform 7.x and 8.x is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyActivity=GetWebInfo&target=popup&pzHarnessID=random_harness_id request to get database schema information while using a low-privilege account. NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect
CVSS Score
4.3
EPSS Score
0.002
Published
2019-11-26


Products
Pricing
Contact Us

Shodan ® - All rights reserved