CVE Vulnerabilities

CVE-2019-16388

Direct Request ('Forced Browsing')

Published: Nov 26, 2019 | Modified: May 17, 2024
CVSS 3.x
4.3
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS 2.x
4 MEDIUM
AV:N/AC:L/Au:S/C:P/I:N/A:N
RedHat/V2
RedHat/V3
Ubuntu

PEGA Platform 8.3.0 is vulnerable to Information disclosure via a direct prweb/sso/random_token/!STANDARD?pyStream=MyAlerts request to get Audit Log information while using a low-privilege account. NOTE: The vendor states that this vulnerability was discovered using an administrator account and they are normal administrator functions. Therefore, the claim that the CVE was done with a low privilege account is incorrect

Weakness

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Affected Software

Name Vendor Start Version End Version
Pega_platform Pega 8.3 (including) 8.3 (including)

Potential Mitigations

References