Login Sign Up

CVE-2024-10716

5.9 MEDIUM
Cross-Site Scripting

📋 TL;DR

This Cross-Site Scripting (XSS) vulnerability in Pega Platform's search functionality allows attackers to inject malicious scripts into web pages viewed by other users. Affected versions include Pega Platform 8.1 through Infinity 24.2.0, potentially impacting all organizations using these versions.

💻 Affected Systems

Products:
  • Pega Platform
Versions: 8.1 to Infinity 24.2.0
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments with search functionality enabled are affected.

📦 What is this software?

Infinity by Pega

View all CVEs affecting Infinity →

Infinity by Pega

View all CVEs affecting Infinity →

Infinity by Pega

View all CVEs affecting Infinity →

Infinity by Pega

View all CVEs affecting Infinity →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or deface the application interface.

🟠

Likely Case

Session hijacking leading to unauthorized access to sensitive data or functionality within the Pega application.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

XSS vulnerabilities typically have low exploitation complexity once the injection point is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Infinity 24.2.1 and later

Vendor Advisory: https://support.pega.com/support-doc/pega-security-advisory-e24-vulnerability-remediation-note

Restart Required: Yes

Instructions:

1. Upgrade to Pega Platform Infinity 24.2.1 or later. 2. Apply the patch following Pega's deployment procedures. 3. Restart the application server.

🔧 Temporary Workarounds

Implement Content Security Policy

all

Add CSP headers to restrict script execution sources

Add 'Content-Security-Policy' header with appropriate directives

Input Validation Filter

all

Implement server-side input validation for search parameters

Configure input validation rules in Pega Platform

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) rules to block XSS payloads
  • Disable search functionality if not critical to business operations

🔍 How to Verify

Check if Vulnerable:

Check Pega Platform version in System Management Application (SMA) or via PRPC:Engine version property

Check Version:

Check PRPC:Engine.pzInsKey or System Management Application

Verify Fix Applied:

Verify version is 24.2.1 or later and test search functionality with XSS payloads

📡 Detection & Monitoring

Log Indicators:

  • Unusual search queries containing script tags or JavaScript code
  • Multiple failed search attempts with suspicious patterns

Network Indicators:

  • HTTP requests with search parameters containing script tags or JavaScript

SIEM Query:

source="pega_logs" AND (search_parameter CONTAINS "<script>" OR search_parameter CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2024-10716
CVSS v3 Score: 5.9 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
CWE: CWE-79
Published: December 5, 2024
Last Updated: March 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10716, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)