Salesforce Agentforce Vibes Extension Improper Input Neutralization Vulnerability Allowing Configuration File Manipulation
Vulnerability
A vulnerability exists in the Salesforce Agentforce Vibes Extension, all versions prior to 3.2.0, due to improper neutralization of input used for large language model prompting. This vulnerability allows manipulation of writable configuration files. When combined with prompt injection, it could lead to arbitrary command execution and remote code execution, potentially granting full access to the victim's Salesforce organization.
Impact
Exploitation of this vulnerability could result in arbitrary command execution, and when combined with prompt injection, it could allow remote code execution, potentially granting full access to the victim's Salesforce organization.
Remediation
Users of the Agentforce Vibes extension should update to version 3.2.0 or later. Those who have disabled automatic updates must manually check for and apply the update. Instructions for manually updating the extension are available in the Salesforce Knowledge Article Number 005228032.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.