Backdrop CMS Salesforce Module Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in the Salesforce module for Backdrop CMS, affecting all versions prior to 1.x-1.0.1. The vulnerability arises because the module does not properly generate or validate a cryptographically random 'state' parameter, leaving the authorization flow susceptible to CSRF attacks. Additionally, the OAuth callback can be accessed by most authenticated users and potentially anonymous users, depending on the site's configuration.

Impact

Exploitation of this vulnerability allows for cross-site request forgery, where an attacker could trick a user into performing actions they did not intend to, potentially leading to unauthorized changes or data manipulation within the application.

Remediation

Users are advised to upgrade to the latest version of the Salesforce module. The updated version can be downloaded from the Salesforce project page on the Backdrop CMS website.