Pega Platform HTML Injection Vulnerability in User Interface Component

A HTML injection vulnerability has been identified in the Pega Platform, affecting versions 8.1.0 through 25.1.1. This vulnerability resides within a user interface component and can be exploited by users with a developer or admin role.

Impact

Exploitation of this vulnerability allows for HTML injection, which is similar to cross-site scripting (XSS) but only permits the injection of certain HTML tags. This could potentially be used to manipulate the user interface or inject malicious content that could be executed by the user.

Remediation

Users can update to Pega Platform version 24.2.4 or 25.1.2, or apply the hotfixes 23.1.5 (HFIX-D585) or 24.1.4 (HFIX-D586) if they are on an earlier version. Pega Cloud and Pega Cloud for Government clients will have these hotfixes applied automatically. On-premises or client-managed cloud clients can download the hotfixes from 'My Security Hotfixes' on 'My Pega'.