Skip to main content

Pega Platform CVE-2023-4843

MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2023-09-08 security@pega.com
4.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Sep 08, 2023 - 17:15 nvd
MEDIUM 4.8

DescriptionNVD

Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user.

AnalysisAI

Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-74. Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user. Affected products include: Pega Pega Platform.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2019-16387 HIGH POC
8.1 Nov 26

PEGA Platform 8.3.0 is vulnerable to a direct prweb/sso/random_token/!STANDARD?pyActivity=Data-Admin-DB-Name.DBSchema_Li

CVE-2017-11356 MEDIUM POC
6.5 Aug 02

The application distribution export functionality in PEGA Platform 7.2 ML0 and earlier allows remote authenticated users

CVE-2017-11355 MEDIUM POC
6.1 Aug 02

Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform 7.2 ML0 and earlier allow remote attackers to injec

CVE-2020-23957 MEDIUM POC
6.1 Dec 15

Pega Platform through 8.4.x is affected by Cross Site Scripting (XSS) via the ConnectionID parameter, as demonstrated by

CVE-2023-32090 CRITICAL
9.8 Aug 07

Pega platform clients who are using versions 6.1 through 7.3.1 may be utilizing default credentials. Rated critical seve

CVE-2023-28094 CRITICAL
9.8 Jun 22

Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prior to 8.x may be util

CVE-2020-8774 HIGH
8.8 Apr 29

Pega Platform before version 8.2.6 is affected by a Reflected Cross-Site Scripting vulnerability in the "ActionStringID"

CVE-2019-16388 MEDIUM POC
4.3 Nov 26

PEGA Platform 8.3.0 is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyStream=MyAle

CVE-2019-16386 MEDIUM POC
4.3 Nov 26

PEGA Platform 7.x and 8.x is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyActivi

CVE-2025-2160 HIGH
8.1 Apr 14

Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup. Rated high severity (CVSS 8.1)

CVE-2025-2161 HIGH
7.1 Apr 14

Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup. Rated high severity (CVSS 7.1)

CVE-2023-26465 MEDIUM
6.1 Jun 09

Pega Platform versions 7.2 to 8.8.1 are affected by an XSS issue. Rated medium severity (CVSS 6.1), this vulnerability i

Share

CVE-2023-4843 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy