DRUPAL-CONTRIB-2018-078

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/salesforce/DRUPAL-CONTRIB-2018-078.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2018-078

Published

2018-12-05T19:24:02Z

Modified

2025-12-10T23:32:05.557542Z

Summary

[none]

Details

This module enables Drupal to synchronize entities with Salesforce records. The module includes a page that does not sufficiently protect access rights, resulting in potential information disclosure.

This vulnerability is mitigated by the fact that only Drupal entity title and IDs, and Salesforce record IDs are exposed. Entity content and metadata are appropriately protected. Disclosure of Salesforce ID does not confer any additional privileges.

References

https://www.drupal.org/sa-contrib-2018-078

Credits

- Oskar Schöldström
- - https://www.drupal.org/user/799618

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/salesforce

Package

Name: drupal/salesforce
Purl: pkg:composer/drupal/salesforce

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

3.1.0

Database specific

{
    "constraint": "<3.1.0"
}

Database specific

affected_versions

"<3.1.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/salesforce/DRUPAL-CONTRIB-2018-078.json"