Pega Infinity
Monthly
Reflected cross-site scripting in Pega Platform (Pega Infinity) versions 8.1.0 through 25.1.2 allows a high-privileged attacker holding a developer role to inject malicious scripts into a user interface component, which execute in a victim's browser upon interaction. The CVSS 4.0 score of 4.8 (Medium) reflects meaningful constraints: exploitation requires both developer-level authentication and a victim's active interaction with a crafted link or payload. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Stored cross-site scripting in Pega Platform (Pega Infinity) versions 8.1.0 through 25.1.2 allows a high-privileged developer-role user to inject persistent malicious scripts into a UI component, which execute in the browser context of other users who interact with the affected interface. The CVSS 4.0 score of 4.6 (Medium) reflects the constrained impact - limited confidentiality and integrity exposure with no availability impact - consistent with the PR:H and UI:A prerequisites that substantially reduce real-world risk. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Authorization bypass in Pega Platform versions 8.3.0 through Infinity 25.1.2 allows authenticated users to access additional data they should not be permitted to view by submitting crafted URLs. The flaw is a CWE-639 authorization key manipulation issue affecting Pega Infinity deployments, with no public exploit identified at time of analysis and high confidentiality impact per the vendor-provided CVSS 4.0 vector.
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role.
Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.
Stored cross-site scripting (XSS) in Pega Platform versions 8.1.0 through 25.1.0 allows authenticated administrative users with extensive access rights to inject malicious scripts into user interface components, potentially compromising the confidentiality of other users who interact with affected UI elements. The vulnerability requires high-privilege administrative access and user interaction to exploit, resulting in a CVSS 4.8 (low severity) with no integrity or availability impact. No public exploit code or active exploitation has been identified at time of analysis.
Reflected cross-site scripting in Pega Platform (Pega Infinity) versions 8.1.0 through 25.1.2 allows a high-privileged attacker holding a developer role to inject malicious scripts into a user interface component, which execute in a victim's browser upon interaction. The CVSS 4.0 score of 4.8 (Medium) reflects meaningful constraints: exploitation requires both developer-level authentication and a victim's active interaction with a crafted link or payload. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Stored cross-site scripting in Pega Platform (Pega Infinity) versions 8.1.0 through 25.1.2 allows a high-privileged developer-role user to inject persistent malicious scripts into a UI component, which execute in the browser context of other users who interact with the affected interface. The CVSS 4.0 score of 4.6 (Medium) reflects the constrained impact - limited confidentiality and integrity exposure with no availability impact - consistent with the PR:H and UI:A prerequisites that substantially reduce real-world risk. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Authorization bypass in Pega Platform versions 8.3.0 through Infinity 25.1.2 allows authenticated users to access additional data they should not be permitted to view by submitting crafted URLs. The flaw is a CWE-639 authorization key manipulation issue affecting Pega Infinity deployments, with no public exploit identified at time of analysis and high confidentiality impact per the vendor-provided CVSS 4.0 vector.
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role.
Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.
Stored cross-site scripting (XSS) in Pega Platform versions 8.1.0 through 25.1.0 allows authenticated administrative users with extensive access rights to inject malicious scripts into user interface components, potentially compromising the confidentiality of other users who interact with affected UI elements. The vulnerability requires high-privilege administrative access and user interaction to exploit, resulting in a CVSS 4.8 (low severity) with no integrity or availability impact. No public exploit code or active exploitation has been identified at time of analysis.