Pega Browser Extension Arbitrary File-Write Vulnerability

A critical arbitrary file-write vulnerability has been identified in the Pega Browser Extension (PBE), specifically affecting Pega Robot Studio developers using Google Chrome and Microsoft Edge, with the vulnerability present in Pega Robot Studio versions 22.1 and R25. This issue does not impact Robot Runtime users. The vulnerability can be exploited if a developer is tricked into visiting a malicious website while in interrogation mode on Robot Studio, potentially leading to unauthorized file modifications.

Impact

Exploitation of this vulnerability could allow for arbitrary file writing, potentially leading to unauthorized file modifications or other malicious actions, depending on the context of the file write.

Remediation

To address this vulnerability, Pega Robot Studio users should update to version 25.1.12 or later. Pega Browser Extension version 3.1.43 or later is also recommended, as it can be used with any version of Robot Studio R25 or 22.1. For those using version 22.1, only the PBE update from the R25 download is necessary. Instructions for downloading the latest Pega Robotic Automation software are available in the Pega documentation.