[IT-SecNots] [Security-news] Salesforce Suite - Moderately critical - Access bypass - SA-CONTRIB-2018-078

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2018-078

Project: Salesforce Suite [1]
Date: 2018-December-05
Security risk: *Moderately critical* 14∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description: 
This module enables Drupal to synchronize entities with Salesforce records.
The module includes a page that does not sufficiently protect access rights,
resulting in potential information disclosure.

This vulnerability is mitigated by the fact that only Drupal entity title and
IDs, and Salesforce record IDs are exposed. Entity content and metadata are
appropriately protected. Disclosure of Salesforce ID does not confer any
additional privileges.

Solution: 
Install the latest version:

  * If you use the Salesforce Suite module for Drupal 8.x, upgrade to
    Salesforce Suite 8.x-3.1 [3]

Also see the Salesforce Suite [4] project page.

Reported By: 
  * Oskar Schöldström  [5]

Fixed By: 
  * Aaron Bauman  [6]
  * Gabriel Carleton-Barnes  [7]

Coordinated By: 
  * Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/project/salesforce
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/salesforce/releases/8.x-3.1
[4] https://www.drupal.org/project/salesforce
[5] https://www.drupal.org/user/799618
[6] https://www.drupal.org/user/384578
[7] https://www.drupal.org/user/1682976
[8] https://www.drupal.org/u/greggles

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news