Detections
Analytics
Salesforce Lightning Objects Guest Permissions
low Web App Scanning Plugin ID 113207
Language:
Synopsis
Salesforce Lightning Objects Guest PermissionsDescription
Salesforce Lightning is a component-based framework which is designed to help organizations building data-driven SaaS applications. By assembling those components called `Aura components`, developers can quickly create custom web pages in their Salesforce application and perform specific actions on Salesforce objects and records through an exposed API.When guest permissions are not properly enforced on Aura components, an unauthenticated attacker could abuse this feature to extract sensitive information stored by the Salesforce application.
Solution
Ensure that permissions applied to guest users are expected and matching with the application requirements. If not needed, API access should also be disabled for the guest profile.See Also
https://help.salesforce.com/s/articleView?id=sf.security_data_access.htm&type=5
Plugin Details
Severity: Low
ID: 113207
Type: remote
Family: Web Applications
Published: 3/24/2022
Updated: 3/24/2022
Scan Template: basic, full, pci, scan
Risk Information
VPR
Risk Factor: Low
Score: 2.9
CVSS v2
Risk Factor: Low
Base Score: 2.6
Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N
CVSS Score Source: Tenable
CVSS v3
Risk Factor: Low
Base Score: 3.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score Source: Tenable
Reference Information
CWE: 284
OWASP: 2010-A8, 2013-A7, 2017-A5, 2021-A1
WASC: Insufficient Authorization
CAPEC: 19, 441, 478, 479, 502, 503, 536, 546, 550, 551, 552, 556, 558, 562, 563, 564, 578
DISA STIG: APSC-DV-000460
HIPAA: 164.312(a)(1), 164.312(a)(2)(i)
ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5
NIST: sp800_53-AC-3
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-1.4.2
PCI-DSS: 3.2-6.5.8