CVE-2023-26465 - Breaking Through XSS Filters in Pega Platform

Lab Post_Pega

Last year we identified an interesting XSS vulnerability involving the clever use of markdown syntax and user mentioning in the Pega Platform. This post delves into details of the PoC, providing a concise yet thorough analysis of how arbitrary JavaScript code could be executed within the application.

Intro

Pega Platform is a complex CRM solution designed to automate business processes and improve customer engagement. It includes many sub-modules, one of which is Pega Pulse, facilitating direct communication and collaboration within the platform.

Pega Pulse allows the use of markdown syntax as well as mentioning other users in the company. We exploited those two functionalities to construct the PoC below.

PoC

![@maciej.piechota@secforce.com <![img src=x onerror=alert(window.origin)]
(1)>](1)

PoC Deconstruction

In the beginning, we noticed that it was possible to escape from quotes in anchor tags using user-mentioning functionality:

<a href="https://secforce.com@maciej.piechota@secforce.com ">link</a>

6d0852c81194447887189384bf4b2ee5

Please notice that part of the mention became the HTML attribute of the anchor tag.

We tried to construct a payload using any controlled part of the HTML produced by the mention but without results.

Then we focused on other functionalities and quickly noticed that limited markdown syntax is usable, among other images and links:

![secforce](1)

produces:

a155f1e233974fa9a4e4481ea24bf3cb

with controlled alternative text attribute, so we thought we could construct a payload there and then escape quotes using the previous method.

Unfortunately, HTML tags were stripped from the alt attribute, however, we did the same trick with nesting to bypass the XSS filter:

b1f35799267c4fd28806100877b8a7de

Utilising the earlier method of escaping from an attribute resulted in a stored cross-site scripting vulnerability.

![@maciej.piechota@secforce.com <![img src=x onerror=alert(window.origin)]
(1)>](1)

d58fdc0bf9634d368d5c7c87359045d8

3dcc89d8dd6443f3a4e5ac2bc4b29d0b


Affected versions

Pega Platform <= 8.7.1


Timeline


References

https://support.pega.com/support-doc/pega-security-advisory-a23-vulnerability-remediation-note

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26465


Thanks

We would like to thank the Pega Security team for a smooth collaboration during our responsible disclosure of this vulnerability.

You may also be interested in...

imagensecforcepost.png
Nov. 14, 2012

VMInjector – DLL Injection tool to unlock guest VMs

VMInjector is a tool designed to bypass OS login authentication screens of major operating systems running on VMware Workstation/Player, by using direct memory manipulation.

See more
imagensecforcepost.png
Oct. 2, 2018

BSides Belfast

Over the last year however I have been very fortunate to have the opportunity to go to some of the smaller, but by no means less valuable, conferences around Europe and they have been awesome. They have all been well organised, with a great atmosphere and some incredible talks.

See more