Salesforce tags 5 CVEs after SaaS security probe uncovers misconfig risks

Salesforce has assigned five CVE identifiers following a security report that uncovered more than 20 configuration weaknesses, some of which exposed customers to unauthorized access and session hijacking.

The vulnerabilities were made public this week after admins were notified of the flaws in May. Aaron Costello, AppOmni chief of SaaS security research who made the findings, said all five CVEs were associated with Flexcards, Data Mappers, and other core components of Salesforce Industries.

Salesforce did not deem the other 16 flaws Costello reported worthy of CVEs, but instead classified them as misconfigurations, placing the responsibility for addressing them on the customer.

"These findings revealed how default settings and some insecure patterns that are the responsibility of the customers to configure and use correctly, can lead to unauthorized access to encrypted fields, session stealing, credentials, and business logic," he said.

"For organizations using Salesforce industry clouds, these findings underscore an urgent ...