CVE-2017-11356

MEDIUM

Pega Platform < 7.2_ml0 - Sensitive Configuration Exposure via Export

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-11356. PoCs published by Daniel Correa.

AI-analyzed exploit summary The exploit demonstrates missing access control (CVE-2017-11356) allowing low-privileged users to export sensitive application data, and multiple XSS vulnerabilities (CVE-2017-11355) in Pega Platform <= 7.2 ML0. The PoC includes direct URLs to trigger unauthorized exports and XSS payloads.

Description

The application distribution export functionality in PEGA Platform 7.2 ML0 and earlier allows remote authenticated users with certain privileges to obtain sensitive configuration information by leveraging a missing access control.

Exploits (1)

exploitdb WORKING POC
by Daniel Correa · textwebappsmultiple
https://www.exploit-db.com/exploits/42335

The exploit demonstrates missing access control (CVE-2017-11356) allowing low-privileged users to export sensitive application data, and multiple XSS vulnerabilities (CVE-2017-11355) in Pega Platform <= 7.2 ML0. The PoC includes direct URLs to trigger unauthorized exports and XSS payloads.

Classification
Working Poc 90%
Attack Type
Auth Bypass | Info Leak | Xss
Complexity
Trivial
Reliability
Reliable
Target: Pega Platform <= 7.2 ML0
Auth required
Prerequisites: Valid low-privileged user session · Access to Pega Platform instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42335/
Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2017/Jul/28

Scores

CVSS v3 6.5
EPSS 0.0350
EPSS Percentile 87.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (1)
pega/pega_platform < 7.2_ml0
Published Aug 02, 2017
Tracked Since Feb 18, 2026