FSC-2021-1

Reflected Cross-Site Scripting Vulnerability in F-Secure Cloud Protection for Salesforce

More information

A reflected cross-site scripting vulnerability exists in the F-Secure Cloud Protection for Salesforce application. If a remote attacker is able to convince a user of a Salesforce organization, who has an active authenticated session, to visit a specially crafted link they could potentially execute arbitrary Javascript code within the scope of the user's Salesforce organization.

This issue was reported directly to F-Secure by a customer. No known exploit or attack has been seen in the wild.

Antti Levomäki

Forcepoint

Twitter

Christian Jalio

Forcepoint

Twitter

    Description

  • A reflected cross-site scripting vulnerability on Salesforce sites where the F-Secure Cloud Protection for Salesforce application is installed.
  • Status

  • Resolved
  • Risk level

  • High
  • Fix

  • Version 1.6.18 of F-Secure Cloud Protection for Salesforce is published to Salesforce AppExchange and includes a fix for this vulnerability.
  • Affected products

  • Corporate Products: F-Secure Cloud Protection for Salesforce 1.6.17 and earlier versions
  • Platforms

  • All supported platforms of the affected products
  • Date issues

  • 27/1/2021
  • Security advisories
  • 2021
  • High