[Security-news] Salesforce Suite - Moderately critical - Access bypass - SA-CONTRIB-2018-078
security-news at drupal.org
security-news at drupal.org
Wed Dec 5 19:49:05 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-078
Project: Salesforce Suite [1]
Date: 2018-December-05
Security risk: *Moderately critical* 14∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Description:
This module enables Drupal to synchronize entities with Salesforce records.
The module includes a page that does not sufficiently protect access rights,
resulting in potential information disclosure.
This vulnerability is mitigated by the fact that only Drupal entity title and
IDs, and Salesforce record IDs are exposed. Entity content and metadata are
appropriately protected. Disclosure of Salesforce ID does not confer any
additional privileges.
Solution:
Install the latest version:
* If you use the Salesforce Suite module for Drupal 8.x, upgrade to
Salesforce Suite 8.x-3.1 [3]
Also see the Salesforce Suite [4] project page.
Reported By:
* Oskar Schöldström [5]
Fixed By:
* Aaron Bauman [6]
* Gabriel Carleton-Barnes [7]
Coordinated By:
* Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/salesforce
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/salesforce/releases/8.x-3.1
[4] https://www.drupal.org/project/salesforce
[5] https://www.drupal.org/user/799618
[6] https://www.drupal.org/user/384578
[7] https://www.drupal.org/user/1682976
[8] https://www.drupal.org/u/greggles
More information about the Security-news
mailing list