Andrew Schoonmaker

**Name of the Vulnerable Software and Affected Versions** Docusign API package version 8.142.14 for Salesforce **Description** An issue was discovered in the Docusign API package for Salesforce, where the Apttus DocuApi DocusignAuthentication mdt object stores configuration information in a manner that could be compromised. With default settings, the object can be accessible, disclosing keys that can be combined to create a valid session via the Docusign API. This can lead to a complete compromise of the Docusign account, as the session is for an administrator service account and may have permission to re-authenticate as specific users. **Recommendations** For Docusign API package version 8.142.14, consider restricting access to the Apttus DocuApi DocusignAuthentication mdt object to minimize the risk of exploitation. As a temporary workaround, review and secure the configuration information stored by this object to prevent unauthorized access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Avalara for Salesforce CPQ versions prior to 7.0 **Description** The issue allows attackers to read an API key. The current version of the app is 11 as of mid-2024. **Recommendations** For versions prior to 7.0, update to version 7.0 or later to resolve the issue. As a temporary workaround, consider restricting access to API keys until the update is applied.