it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Salesforce Suite - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-063
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Salesforce Suite - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-063
- Date: Wed, 24 Jun 2026 18:48:16 +0000
- Archived-at: <>
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=DSpjAIae; dkim=fail ("body hash did not verify") header.d=drupal.org header.s=f34odw3mfzgsrgyn3evjayysxxl6jizn header.b="YK7Zdl/s"; dkim=fail ("body hash did not verify") header.d=amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv header.b=kzgXh5L3; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 986E64EFE8
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org D1E5A605F5
- Dmarc-filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org D1E5A605F5
- Feedback-id: ::1.us-west-2.eaokZ1GT8utLqfMHQoyOsEFVrSIzzS6R+14LP6WIIUY=:AmazonSES
- List-archive: <>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2026-063
Project: Salesforce Suite [1]
Date: 2026-June-24
Security risk: *Moderately critical* 11 ∕ 25
AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross-site request forgery
Affected versions: <5.1.3
CVE IDs: CVE-2026-13243
Description:
The Salesforce Suite of modules integrates Drupal with Salesforce.
The Salesforce module does not properly validate the OAuth handshake during
interactive authentication, allowing an attacker to hijack the authorization
token and bind the site to an attacker's Salesforce account.
This vulnerability is mitigated by the fact that salesforce_oauth submodule
must be enabled, and a salesforce_oauth authorization profile active and in
use. The submodule salesforce_oauth is deprecated, and salesforce_jwt has
been the recommended authentication plugin for several years. Sites with
salesforce_oauth uninstalled, or sites relying exclusively on salesforce_jwt
(JWT or JWT Gov Cloud) for authentication are not impacted.
Submodule salesforce_oauth has been removed in branch 6.0.x, so >= 6.0.x
versions are not affected by this vulnerability.
Solution:
*Recommended solution:*
* Update to Salesforce Suite version 5.1.3 [3]
* Uninstall salesforce_oauth module
*Alternative solution*, if you must continue to use salesforce_oauth module:
* Update to Salesforce Suite version 5.1.3 [4]
* Revoke existing oauth provider tokens
* Re-authenticate all existing oauth providers
Reported By:
* Muhammedali Aliyev (swordmein) [5]
Fixed By:
* Aaron Bauman (aaronbauman) [6]
Coordinated By:
* Neil Drumm (drumm) [7] of the Drupal Security Team
* Juraj Nemec (poker10) [8] of the Drupal Security Team
* Pierre Rudloff (prudloff) [9] of the Drupal Security Team
Security
issue:
https://git.drupalcode.org/security/185127-salesforce-security/-/work_items/1
[10]
------------------------------------------------------------------------------
Contribution record [11]
[1] https://www.drupal.org/project/salesforce
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/salesforce/releases/5.1.3
[4] https://www.drupal.org/project/salesforce/releases/5.1.3
[5] https://www.drupal.org/u/swordmein
[6] https://www.drupal.org/u/aaronbauman
[7] https://www.drupal.org/u/drumm
[8] https://www.drupal.org/u/poker10
[9] https://www.drupal.org/u/prudloff
[10] https://git.drupalcode.org/security/185127-salesforce-security/-/work_items/1
[11] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3592432
_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at
- [IT-SecNots] [Security-news] Salesforce Suite - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-063, security-news, 24.06.2026
Archiv bereitgestellt durch MHonArc 2.6.19+.