Salesforce Agentforce Vibes Extension Incorrect Permission Assignment Vulnerability
Vulnerability
A vulnerability exists in the Salesforce Agentforce Vibes Extension, specifically in versions prior to 3.2.0, due to incorrect permission assignment for critical resources. This vulnerability allows manipulation of writable configuration files, which could lead to unauthorized changes or execution of commands.
Impact
Exploitation of this vulnerability could allow arbitrary command execution, and when combined with prompt injection, could result in remote code execution, potentially granting full access to the victim's Salesforce organization.
Remediation
Users of the Agentforce Vibes Extension should update to version 3.2.0 or later. Those who have disabled automatic updates must manually check for and apply the update. Instructions for manually updating extensions are available in the Visual Studio Extension Auto-Update Section.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.