CVE-2023-26465 - Breaking Through XSS Filters in Pega Platform
Published on April 22, 2024 by Maciej Piechota and Adam Simuntis
Last year we identified an interesting XSS vulnerability involving the clever use of markdown syntax and user mentioning in the Pega Platform. This post delves into details of the PoC, providing a concise yet thorough analysis of how arbitrary JavaScript code could be executed within the application.
Intro
Pega Platform is a complex CRM solution designed to automate business processes and improve customer engagement. It includes many sub-modules, one of which is Pega Pulse, facilitating direct communication and collaboration within the platform.
Pega Pulse allows the use of markdown syntax as well as mentioning other users in the company. We exploited those two functionalities to construct the PoC below.
PoC
![@maciej.piechota@secforce.com <![img src=x onerror=alert(window.origin)]
(1)>](1)
PoC Deconstruction
In the beginning, we noticed that it was possible to escape from quotes in anchor tags using user-mentioning functionality:
<a href="https://secforce.com@maciej.piechota@secforce.com ">link</a>
Please notice that part of the mention became the HTML attribute of the anchor tag.
We tried to construct a payload using any controlled part of the HTML produced by the mention but without results.
Then we focused on other functionalities and quickly noticed that limited markdown syntax is usable, among other images and links:
produces:
with controlled alternative text attribute, so we thought we could construct a payload there and then escape quotes using the previous method.
Unfortunately, HTML tags were stripped from the alt attribute, however, we did the same trick with nesting to bypass the XSS filter:
Utilising the earlier method of escaping from an attribute resulted in a stored cross-site scripting vulnerability.
![@maciej.piechota@secforce.com <![img src=x onerror=alert(window.origin)]
(1)>](1)
Affected versions
Pega Platform <= 8.7.1
Timeline
- 08.04.2022 – reported XSS to Pega Security team
- 31.05.2022 – team sent acknowledgement
- 24.02.2023 – CVE-2023-26465 assigned
- 30.05.2023 – Pega Security Advisory released
References
https://support.pega.com/support-doc/pega-security-advisory-a23-vulnerability-remediation-note
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26465
Thanks
We would like to thank the Pega Security team for a smooth collaboration during our responsible disclosure of this vulnerability.
You may also be interested in...
False sense of security is an ongoing issue. Fueled by inaccurate marketing strategies promising the ultimate security product and convincing clients that their product will make your system immune to every single attack.
See more
Differences between black box and white box penetration tests
See more