Pega Platform prior to 8.4.0 has a XSS issue via stream rule parameters used in the request header.
pega pega platform