Salesforce Lightning Objects Guest Permissions

low Web Application Scanning Plugin ID 113207


Salesforce Lightning Objects Guest Permissions


Salesforce Lightning is a component-based framework which is designed to help organizations building data-driven SaaS applications. By assembling those components called `Aura components`, developers can quickly create custom web pages in their Salesforce application and perform specific actions on Salesforce objects and records through an exposed API.

When guest permissions are not properly enforced on Aura components, an unauthenticated attacker could abuse this feature to extract sensitive information stored by the Salesforce application.


Ensure that permissions applied to guest users are expected and matching with the application requirements. If not needed, API access should also be disabled for the guest profile.

See Also

Plugin Details

Severity: Low

ID: 113207

Type: remote

Published: 3/24/2022

Updated: 3/24/2022

Scan Template: scan, pci

Risk Information


Risk Factor: Low

Base Score: 2.6

Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable


Risk Factor: Low

Base Score: 3.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

Reference Information