Summary
A CVE in Pega CMS was found while researching on Ford’s VDP program. The vulnerability was initially identified by myself (@rej_ex) and break3r (@1337break3r). Subsequently, Sakura Samurai (@sakurasamuraii) members were brought in to participate in the research and the severity was escalated.
Aubrey Cottle (@Kirtaner), Jackson Henry (@JacksonHHax), and John Jackson (@johnjhacking) were the additional participating members.
Impact
The impact was large in scale. Attackers could use the vulnerabilities identified in the broken access control and obtain troves of sensitive records, perform account takeovers, and obtain a substantial amount of data.
During the research, a lack of access control in Pega services was noticed, which allowed for information disclosure — which included PII. Data retrieved included employee email addresses and information, O-Auth Access Tokens, finance account numbers, tickets within the work queue, user profiles within the organization, pulse actions, database tables and names, specific ticketing information and search bar history, internal interfaces, etc.
CVE
The vulnerability was accepted and labeled as CVE-2021-27653 on April 1st, 2021. You can see more information on the CVE here.
I’m an infosec, cybersecurity professional who enjoys continuously learning and hacking. I also collect and make comics books. I role with my crew — Sakura Samurai. Follow me on Twitter @rej_ex.