- Issue created by @larowlan
This was originally logged as a private issue to the security team, but was cleared to be moved to the public queue
This module has a privilege escalation vulnerability.
You can see this vulnerability by:
1. Enabling the module
2. Configuring a salesforce authorization config
3. Using the rest client to authenticate with salesforce, which generates a token
4. This ends up being stored in plain text in the state API (key value table)
This token is equivalent to a password, so should be encrypted or hashed before storing in the database in my opinion.
The module seems to have some integration with the key module, ideally it would use an encryption key to encrypt/decrypt this value before/after storing in the database
Active
5.0
salesforce.module
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.