Researchers found vulnerability in Pega Infinity


By MYBRANDBOOK


Researchers found vulnerability in Pega Infinity

Pega Infinity is a popular enterprise software suite, with over 2,000 users. The package includes customer service and sales automation, an AI-driven ‘customer decision hub’, workforce intelligence, and a ‘no-code’ development platform. Some of its big-list customers include the FBI, US Air Force, Apple, American Express, and others.

 

According to the research team – Sam Curry, Justin Rhinehart, Brett Buerhaus, and Maik Robert – CVE-2021-27651 is a critical-risk vulnerability in versions 8.2.1 to 8.5.2 of Pega’s Infinity software. The proof of concept demonstrates how an attacker could bypass Pega Infinity’s password reset system. However, the threat actors can fully compromise the Pega instance using malicious techniques like remote code execution, including the alteration of dynamic pages or templates.

 

Assailants could then use the reset account to “fully compromise” the Pega instance, through administrator-only remote code execution. This could include modifying dynamic pages, or templating. The security researchers came across the Pega Infinity vulnerability through participation in Apple’s bug bounty program.

 

The vendor added: “We would like to also note that no clients have reported any issues related to this vulnerability. Pega makes security a top priority, and we have acted quickly to remedy this issue.

 

“Pega believes independent security researchers play a valuable role in internet security, and we encourage responsible reporting of any vulnerabilities that may be found on our site or in our applications.”

 E-Magazine 
 VIDEOS  Placeholder image

Copyright www.mybrandbook.co.in @1999-2024 - All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission of Kalinga Digital Media Pvt. Ltd. is prohibited.
Other Initiatives : www.varindia.com | www.spoindia.org