EUVD-2025-209147
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Tags
Description
Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none.
Analysis
Stored cross-site scripting (XSS) in Pega Platform versions 8.1.0 through 25.1.0 allows authenticated administrative users with extensive access rights to inject malicious scripts into user interface components, potentially compromising the confidentiality of other users who interact with affected UI elements. The vulnerability requires high-privilege administrative access and user interaction to exploit, resulting in a CVSS 4.8 (low severity) with no integrity or availability impact. No public exploit code or active exploitation has been identified at time of analysis.
Technical Context
The vulnerability is a classic stored cross-site scripting (CWE-79) flaw occurring in a Pega Platform user interface component. Pega Infinity is a low-code business process management and customer engagement platform built on Java/enterprise architecture. Stored XSS vulnerabilities in such platforms typically arise when user-supplied input (form fields, configuration parameters, or custom UI elements) is persisted in a backend database and subsequently rendered in the browser without proper output encoding or sanitization. The affected CPE (cpe:2.3:a:pegasystems:pega_infinity:*:*:*:*:*:*:*:*) covers all versions of Pega Infinity, with the specific vulnerable range confirmed as 8.1.0 through 25.1.0. The attack surface is limited to authenticated administrative users, significantly constraining real-world risk in multi-tenant or role-based access control environments.
Affected Products
Pega Infinity (versions 8.1.0 through 25.1.0) is affected as indicated by the CPE cpe:2.3:a:pegasystems:pega_infinity. This encompasses all minor and patch releases within the 8.1.0 to 25.1.0 range, spanning multiple major version families (8.x, 9.x through 25.x). Customers running any version in this range must assess patching urgency based on whether administrative users have UI customization or component editing capabilities. The full remediation details and patch availability are documented in the Pega security advisory at https://support.pega.com/support-doc/pega-security-advisory-o25-vulnerability-remediation-note.
Remediation
Organizations should apply the vendor-released patch from Pega as documented in the official security advisory at https://support.pega.com/support-doc/pega-security-advisory-o25-vulnerability-remediation-note. The advisory provides specific patched version numbers and installation instructions for affected Pega Infinity deployments. As an interim mitigation pending patch deployment, restrict administrative UI component editing privileges to trusted personnel, implement web application firewall (WAF) rules to detect and block script injection patterns in POST/PUT requests to Pega configuration endpoints, and review audit logs for unauthorized modifications to UI components. For defense-in-depth, ensure Content Security Policy (CSP) headers are enforced on all Pega platform deployments to limit XSS payload execution even if stored injection occurs.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today