Security Advisories

FSC-2021-1: Reflected Cross-Site Scripting Vulnerability in F-Secure Cloud Protection for Salesforce

Description

A reflected cross-site scripting vulnerability on Salesforce sites where the F-Secure Cloud Protection for Salesforce application is installed.

STATUS: RESOLVED

RISK LEVEL: HIGH

FIX: Version 1.6.18 of F-Secure Cloud Protection for Salesforce is published to Salesforce AppExchange and includes a fix for this vulnerability.

Affected Products

Corporate Products:

  • F-Secure Cloud Protection for Salesforce 1.6.17 and earlier versions

Platforms

  • All supported platforms for the affected products

More Information

A reflected cross-site scripting vulnerability exists in the F-Secure Cloud Protection for Salesforce application. If a remote attacker is able to convince a user of a Salesforce organization, who has an active authenticated session, to visit a specially crafted link they could potentially execute arbitrary Javascript code within the scope of the user's Salesforce organization.

This issue was reported directly to F-Secure by a customer. No known exploit or attack has been seen in the wild.

Mitigating Factors

The targeted user must have an active authenticated session with F-Secure permission assigned to the user in the Salesforce organization.

Fix Available

Product Versions Fix
F-Secure Cloud Protection for Salesforce 1.6.17 and earlier  Version 1.6.18 of F-Secure Cloud Protection for Salesforce is published to Salesforce AppExchange and includes a fix for this vulnerability.

Date Issued: 2021-01-27