Salesforce Lightning Objects Guest Permissions

medium Web App Scanning Plugin ID 113207

Synopsis

Salesforce Lightning Objects Guest Permissions

Description

Salesforce Lightning is a component-based framework which is designed to help organizations building data-driven SaaS applications. By assembling those components called `Aura components`, developers can quickly create custom web pages in their Salesforce application and perform specific actions on Salesforce objects and records through an exposed API.

When guest permissions are not properly enforced on Aura components, an unauthenticated attacker could abuse this feature to extract sensitive information stored by the Salesforce application.

Solution

Ensure that permissions applied to guest users are expected and matching with the application requirements. If not needed, API access should also be disabled for the guest profile.

See Also

https://help.salesforce.com/s/articleView?id=sf.security_data_access.htm&type=5

https://www.salesforce.com/eu/campaign/lightning/

Plugin Details

Severity: Medium

ID: 113207

Type: remote

Published: 3/24/2022

Updated: 3/24/2022

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 2.9

CVSS v2

Risk Factor: Low

Base Score: 2.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Low

Base Score: 3.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Medium

Base Score: 6.3

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information