CVE-2017-11355 in PEGA Platform
Summary
by MITRE
Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform 7.2 ML0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to the main page; the (2) beanReference parameter to the JavaBean viewer page; or the (3) pyTableName to the System database schema modification page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/21/2025
The vulnerability CVE-2017-11355 represents a critical cross-site scripting flaw affecting PEGA Platform versions 7.2 ML0 and earlier, demonstrating a fundamental weakness in input validation and output encoding mechanisms within web applications. This vulnerability resides in the core web framework of the platform and allows remote attackers to execute malicious scripts in the context of victim browsers, potentially leading to session hijacking, data theft, or unauthorized access to sensitive information. The flaw specifically targets three distinct entry points within the application's architecture, each representing a different attack vector that could be exploited by malicious actors without requiring authentication or privileged access.
The technical implementation of this vulnerability stems from insufficient sanitization of user-supplied input parameters across multiple web pages within the PEGA Platform ecosystem. The first attack vector involves the PATH_INFO parameter, which is typically used to pass additional path information to web applications through the web server's URL parsing mechanism. When this parameter is not properly validated or escaped before being rendered in the application's main page, it creates an opportunity for attackers to inject malicious JavaScript code that executes in the context of authenticated users. The second vector targets the beanReference parameter in the JavaBean viewer page, where unvalidated input allows attackers to manipulate the reference to JavaBeans objects, potentially leading to script injection in the rendered output. The third vulnerability occurs in the System database schema modification page where the pyTableName parameter is not adequately sanitized, enabling attackers to inject malicious content that could be executed when database schema information is displayed to users.
The operational impact of CVE-2017-11355 extends beyond simple script execution, as it provides attackers with potential access to sensitive organizational data and system functionality. When successfully exploited, these vulnerabilities could enable attackers to steal session cookies, access confidential business data, modify database records, or even escalate privileges within the PEGA environment. The vulnerability affects the core platform functionality and could compromise the integrity of business processes that rely on PEGA's workflow management capabilities. Organizations using affected versions face significant risk of data breaches, regulatory compliance violations, and potential financial losses due to unauthorized access to business-critical applications.
Security professionals should recognize this vulnerability as a classic example of CWE-79 - Improper Neutralization of Input During Web Page Generation, which is a fundamental weakness in web application security that affects numerous applications across different platforms. The attack patterns associated with this vulnerability align with ATT&CK technique T1059.007 - Command and Scripting Interpreter: JavaScript, demonstrating how attackers can leverage web-based scripting languages to execute malicious payloads. Organizations should implement immediate mitigations including input validation and output encoding for all user-supplied parameters, particularly those used in dynamic content generation. The recommended approach involves implementing strict parameter validation, HTML escaping for all dynamic content, and regular security assessments of web applications to identify similar vulnerabilities. Additionally, organizations should consider implementing web application firewalls and content security policies to provide additional layers of protection against such attacks, while also ensuring that all PEGA Platform instances are updated to versions that address these specific XSS vulnerabilities.