A CVE in Pega CMS was found while researching on Ford’s VDP program. The vulnerability was initially identified by myself (@rej_ex) and break3r (@1337break3r). Subsequently, Sakura Samurai (@sakurasamuraii) members were brought in to participate in the research and the severity was escalated.
The impact was large in scale. Attackers could use the vulnerabilities identified in the broken access control and obtain troves of sensitive records, perform account takeovers, and obtain a substantial amount of data.
During the research, a lack of access control in Pega services was noticed, which allowed for information disclosure — which included PII. Data retrieved included employee email addresses and information, O-Auth Access Tokens, finance account numbers, tickets within the work queue, user profiles within the organization, pulse actions, database tables and names, specific ticketing information and search bar history, internal interfaces, etc.
The vulnerability was accepted and labeled as CVE-2021-27653 on April 1st, 2021. You can see more information on the CVE here.