CVE-2018-3777

Name of the Vulnerable Software and Affected Versions restforce versions prior to 3.0.0

Description The issue is related to insufficient URI encoding, allowing an attacker to inject arbitrary parameters into Salesforce API requests. This flaw is only exploitable in applications that pass user input directly to restforce's select, find, describe, update, upsert, and destroy methods. Attackers could manipulate the request to access different endpoints or modify data by overriding HTTP methods via request parameters, such as HttpMethod=PATCH.

Recommendations For versions prior to 3.0.0, consider updating to version 3.0.0 or later to resolve the issue. As a temporary workaround, applications should track Salesforce IDs internally rather than passing user-supplied IDs to Salesforce to mitigate this vulnerability.