PT-2024-28010 · Avalara · Avalara For Salesforce Cpq

Andrew Schoonmaker

Published

2024-07-03

Updated

2024-07-09

CVE-2024-38453

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Avalara for Salesforce CPQ versions prior to 7.0

Description The issue allows attackers to read an API key. The current version of the app is 11 as of mid-2024.

Recommendations For versions prior to 7.0, update to version 7.0 or later to resolve the issue. As a temporary workaround, consider restricting access to API keys until the update is applied.

Fix

Insufficiently Protected Credentials

Insecure Storage of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522CWE-922

Related Identifiers

CVE-2024-38453

Affected Products

Avalara For Salesforce Cpq

PT-2024-28010 · Avalara · Avalara For Salesforce Cpq

CVE-2024-38453

Weakness Enumeration

Related Identifiers

Affected Products

References · 4