CKEditor -XSS Injection Security Issue in pega 8.8.3

AnilKumarTechy · February 20, 2025, 9:01am

We have reviewed the reference provided by Pega regarding the wrapper protection mechanism against injection attacks. While the wrapper appears to be in place, it does not seem to be functioning as expected.

We have observed a successful XSS execution within CKEditor when a malicious payload was inserted. Below is a sample payload that bypassed the protection:

CLICKME Attached is the evidence demonstrating the XSS execution.

Request for Justification:

Could you provide details on how Pega has implemented the wrapper code to protect against injection attacks?
Are there any recommended configurations or patches available to enhance security in CKEditor within Pega?
Is there a planned fix or workaround to mitigate this issue?

Please advise on the next steps to address this security concern.

MarijeSchillern · February 20, 2025, 11:24am

@AnilKumarTechy All Security-related documentation can be found on the documentation server: Mitigating common security vulnerabilities.

Pega 8.8.3 is in Extended Support:

“Extended Support means clients should immediately update to the latest minor version to benefit from ongoing security and reliability improvements. Clients continue to receive support but need to update to the latest minor version to resolve non-production issues that they might experience.”

You can always Review Security Advisories from the Important Links on the PSC.

If you are an on–premises or client managed cloud client, please review the available hotfixes on My Software → My Security Hotfixes corresponding to your Pegasystems installation. Once you have determined the appropriate hotfix IDs, please submit hotfix requests using My Support Portal.

Information regarding the availability of any Security hotfixes will be publicly posted on Pega Support Center.

As always, we recommend our clients review our Security Checklist regularly.

As a best practice, you should update your Pega environment to the latest release to take advantage of the latest features, capabilities, and security and bug fixes. See Keeping current with Pega.

Regarding your questions:

Wrapper Implementation:
The CKEditor implementation in Pega includes a custom wrapper code that utilizes the JSoupParser Utility to clean RTE content. This wrapper is designed to:

Remove script tags in iframes
Clean potentially dangerous attributes (like onerror, onchange)
Filter out malicious HTML content
Maintain compliance with OWASP standards

Available Security Measures:
There is a specific hotfix available for this vulnerability:

Hotfix ID: HFIX-A1614 (specifically for Pega 8.8.3)
This hotfix addresses the XSS vulnerability related to editing/rendering user HTML content
The fix has been officially documented in the Pega Security Advisory - I23 Vulnerability

Conversation		Replies	Views
ckeditor version 4.7.1 in Pega 23.1 General pega-platform	1	138	March 10, 2025
CKEditor version for pega 8.7.4 User Experience user-experience , updates , installation-and-deployment , 8-7-4	2	436	April 12, 2024
How to save pega application from Cross-Site Scripting (XSS) attacks General senior-system-architect , security , financial-services , 8-5-3	1	495	July 18, 2024
Pega Platform is affected by Cross Site Scripting (XSS) via the ConnectionID parameter : CVE-2020-23957 General pega-platform , lead-system-architect , security	1	554	June 1, 2022
Pega Security vulnerability issues in Pega 7.3.1 (IDOR and CSRF attack) Pega-as-a-Service pega-platform , business-architect , low-code-app-development , security , devops , app-studio , pega-cloud , enterprise-application-development , financial-services , 7-3-1 , dev-designer-studio	7	200	January 24, 2024

CKEditor -XSS Injection Security Issue in pega 8.8.3

Related topics