CVE-2017-11355 - OpenCVE

Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform 7.2 ML0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to the main page; the (2) beanReference parameter to the JavaBean viewer page; or the (3) pyTableName to the System database schema modification page.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Pega	Pega Platform

Configuration 1 [-]

cpe:2.3:a:pega:pega_platform:*:*:*:*:*:*:*:*

References

Link	Resource
http://seclists.org/fulldisclosure/2017/Jul/28	Mailing List Third Party Advisory
https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-11355-and-cve-2017-11356/pegasystems-security-bulletin-cve
https://www.exploit-db.com/exploits/42335/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2017-08-02T19:00:00

Updated: 2017-09-07T13:57:01

Reserved: 2017-07-16T00:00:00

Link: CVE-2017-11355

JSON object: View

NVD Information

Status : Modified

Published: 2017-08-02T19:29:00.740

Modified: 2017-09-08T01:29:55.483

Link: CVE-2017-11355

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-07-17T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform 7.2 ML0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to the main page; the (2) beanReference parameter to the JavaBean viewer page; or the (3) pyTableName to the System database schema modification page."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-07T13:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-11355-and-cve-2017-11356/pegasystems-security-bulletin-cve"}, {"name": "42335", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/42335/"}, {"name": "20170717 PEGA Platform <= 7.2 ML0 - Multiple vulnerabilities", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2017/Jul/28"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-11355", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform 7.2 ML0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to the main page; the (2) beanReference parameter to the JavaBean viewer page; or the (3) pyTableName to the System database schema modification page."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-11355-and-cve-2017-11356/pegasystems-security-bulletin-cve", "refsource": "CONFIRM", "url": "https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-11355-and-cve-2017-11356/pegasystems-security-bulletin-cve"}, {"name": "42335", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/42335/"}, {"name": "20170717 PEGA Platform <= 7.2 ML0 - Multiple vulnerabilities", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2017/Jul/28"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-11355", "datePublished": "2017-08-02T19:00:00", "dateReserved": "2017-07-16T00:00:00", "dateUpdated": "2017-09-07T13:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pega:pega_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "D99B50FB-B3F8-45B0-AF05-590CEBA16EA5", "versionEndIncluding": "7.2_ml0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform 7.2 ML0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to the main page; the (2) beanReference parameter to the JavaBean viewer page; or the (3) pyTableName to the System database schema modification page."}, {"lang": "es", "value": "Existen m\u00faltiples vulnerabilidades de tipo Cross-Site Scripting (XSS) en PEGA Platform 7.2 ML0 y anteriores que permiten a los atacantes inyectar scripts web o HTML arbitrarios con (1) PATH_INFO en la p\u00e1gina principal; (2) el par\u00e1metro beanReference en la p\u00e1gina del visor JavaBean; o (3) pyTableName en la p\u00e1gina de modificaci\u00f3n del esquema de base de datos del sistema."}], "id": "CVE-2017-11355", "lastModified": "2017-09-08T01:29:55.483", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-08-02T19:29:00.740", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2017/Jul/28"}, {"source": "cve@mitre.org", "url": "https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-11355-and-cve-2017-11356/pegasystems-security-bulletin-cve"}, {"source": "cve@mitre.org", "url": "https://www.exploit-db.com/exploits/42335/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}