CVE-2024-6702: 
NixOS vulnerability analysis and mitigation

Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection vulnerability with Stage. HTML Injection is an attack similar to cross-site scripting (XSS), where the attacker can only inject certain HTML tags rather than execute JavaScript code. The vulnerability was discovered and reported by Andrea Solenne, Christian Romano, and Lapo Mezzani (Pega Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) by NIST with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while Pegasystems Inc. rated it with a CVSS score of 5.2 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N. The vulnerability can only be executed by users with Pega Developer access (NVD, Pega Advisory).

Attackers can initiate an HTML injection attack by sending a malicious link to a user and enticing them to click it. However, the attack is limited to authorized Pega users with developer access. The vulnerability allows injection of certain HTML tags but does not permit JavaScript code execution (Pega Advisory).

The vulnerability has been fixed in several versions: 23.1.2 hotfix (HFIX-B1770), 23.1.3 Patch Release, 24.1.1 hotfix (HFIX-B1769), 24.1.2 Patch Release, and 24.2 Patch Release. Pega Cloud clients' environments are being proactively remediated by Pega through Cloud Maintenance cases. For on-premises or client-managed cloud installations, clients should download and apply the appropriate hotfix from My Security Hotfixes on My Pega (Pega Advisory).