ClickSoftware

Commerce Cloud

Experience Cloud

Heroku

Hyperforce

Marketing Cloud

MuleSoft

Pardot

Quip

Sales Cloud

Salesforce Platform

Salesforce Einstein

Service Cloud

Slack

Tableau

Response to October 4, 2021, CERT Coordination Center note (VU#883754) 

Configuration of Salesforce Developer Experience Command Line Interface

ADV-2021-017

ADV-2021-016

Response to October 24, 2021, Microsoft blog post

Nobelium Attacks Targeting Cloud Services, Supply Chains

Spring4Shell vulnerability published in March 2022

Spring4Shell Security Update

GitHub repositories connected to Heroku issue

Heroku security notification

Tableau Server logging Personal Access Tokens into internal log repositories

Tableau security update

Broken access control vulnerability in Tableau Server

CVE-2022-22127

TrickBot / The Trick

Ransomware targeting Windows "Eternal Blue" vulnerability.

WannaCry Ransomware

Google Docs invitation containing a phishing link.

Google Docs Phishing Campaign

Oracle NetSuite and SAP SuccessFactors connectors used in Tableau Gallery may be storing sensitive data in a subset of Tableau On-Premise customers’ logging infrastructure  

Oracle NetSuite and SAP SuccessFactors connectors issue

Apache Log4j2 vulnerability published on December 10, 2021

Apache Log4j2 vulnerability

Malware leveraging MS17-010 (AKA EternalBlue) Vulnerability

MS17-010 Vulnerability (AKA EternalBlue)

Cloudflare, an embedded content delivery network and internet security services provider, disclosed a security vulnerability in their edge servers, which could expose information such as HTTP cookies, authentication tokens, and HTTP POST bodies.

Cloudflare Vulnerability

Vulnerability of Twitter Account Activity API

Twitter Account Activity API

If your organization is impacted by an information security incident, your organization’s Security Contact(s) will be notified.

Manage Security Contacts for Your Organization

Remote Code Execution in Mule runtime and API Gateway

CVE-2019-15631

Salesforce has not experienced any significant business impacts

COVID-19 Business Continuity Statement

Denial of Service vulnerability in Mule runtime

CVE-2020-6937

CVE-2019-15630

Sensitive information disclosure vulnerability in Tableau Server

CVE-2020-6938

Security vulnerability impact on Salesforce Sites and Communities

Salesforce Security Vulnerability

ADV-2020-046

Some Permission Changes Don't Take Effect Until Server Restart

ADV-2020-047

Phishing Campaign

ADV-2020-045

External Service Connection Fails To Validate Host Name

ADV-2020-044

Tableau Server Sensitive Values In Log File Location

ADV-2020-048

Potential impact to default sharing settings

Enhancements to Security of Community and Portal Users

Plaintext Data Source Secrets In Repository

ADV-2020-049

REST API Returns a Site Configuration Value to Unauthenticated Users

ADV-2020-050

ADV-2020-051

ADV-2020-053

Tableau Server Allows External Web Pages In Web Zones

ADV-2020-052

Tableau Desktop stores plaintext secrets in configuration file

ADV-2020-054

CVE-2020-6939

ADV-2020-057

ADV-2020-056

ADV-2020-055

Tableau Fixes a Vulnerability in QtWebEngine

ADV-2020-059

Tableau Server Default Installation Weak Folder Permissions

ADV-2020-060

ADV-2020-058

Tableau Server Non-Default Installation Weak Folder Permissions

ADV-2020-061

Tableau Server Logs Postgres Repository Password

ADV-2021-005

ADV-2021-004

ADV-2021-003

Reflected Error Message Content Injection

ADV-2021-001

ADV-2021-002

ADV-2021-007

Federal government and Fortune 500 companies compromised by supply chain attack

SolarWinds Software Compromise

ADV-2021-008

ADV-2021-010

Server Side Request Forgery in Mule runtime

CVE-2021-1627

Denial of Service Vulnerability in Tableau Server

ADV-2021-011

Microsoft Exchange Server vulnerabilities published on March 2, 2021 

Microsoft Exchange Server vulnerabilities

ADV-2021-009

Bash Uploader users’ secrets compromised by threat actor

Codecov Bash Uploader Compromise

ADV-2021-013

ADV-2021-012

Kaseya VSA ransomware attack on July 2, 2021


Kaseya Ransomware Attack

Remote Code Execution vulnerability in Mule runtime

CVE-2021-1626

Improper Data Cache Access Control When Using Initial SQL

ADV-2021-015

Not All Secrets Encrypted In Configuration

ADV-2021-006

Response to August 10, 2021, Varonis blog post

Configuration of Salesforce Sites and Communities Guest User Access Control Permissions

XML External Entity (XXE) vulnerability in Mule runtime

CVE-2021-1628

XML external entity (XXE) vulnerability in Mule runtime

CVE-2021-1630

Issue affecting Tableau Server Administration Agent

CVE-2022-22128

Customers are no longer required to obtain prior approval before performing security assessments for Salesforce products.

Security Assessments

Vulnerabilities could lead to unauthorized access to the MOVEit file transfer product and environment. No impact to Salesforce customer data at this time. On June 16, an additional critical vulnerability (ending in 708) was announced. On July 5, CVEs ending in 932, 933, and 934 were announced.

CVE-2023-34362, CVE-2023-35036, CVE-2023-35708, CVE-2023-36932, CVE-2023-36933, CVE-2023-36934

Tableau Python Server (TabPy) installations may be configured to execute arbitrary python code without authentication. Products Affected: TabPy 2.8.0 and earlier.

JavaScript vulnerability affecting the Salesforce tough-cookie open-source NPM project, which could allow a malicious actor to attach cookie data to a global namespace.

CVE-2023-26136

Server-side request forgery vulnerability which could allow a malicious actor to authenticate into instances of Tableau Server to access customers’ hosted data.

Tableau Security Notification

Salesforce is actively investigating CVE-2023-46604 for potential impact and implementing mitigations where necessary.  Salesforce will continue to follow its vulnerability management process, and should we discover evidence of unauthorized access to customer data, will notify impacted parties without undue delay.

CVE-2023-46604

On November 2, 2023, Salesforce Security was notified of CVE-2023-46604, a remote code execution (RCE) vulnerability impacting Apache ActiveMQ clients.

On May 11, 2023, a Local File Inclusion (LFI) security vulnerability was reported via our Advanced Server Access (ASA) Program.


Local File Inclusion (LFI) vulnerability affecting on-prem Tableau Servers

Salesforce Security discovered a vulnerability affecting the email notification functionality of Tableau's Flow Editor feature. As a result of this issue, an authenticated user could execute arbitrary commands on customers’ instances of Tableau Server. We assigned the CVSSv3 score as 9.1.

Local File Inclusion (LFI) vulnerability impacting some versions of Tableau Server

To enhance the security functionality and help prevent abuse of free trial orgs, on October 8, 2024, we temporarily disabled user-initiated email functionality for Core CRM Product Trials  – this does not include Active customers or other Salesforce products.



User Email Functionality Temporary Outage

Tableau allows for row-level access controls to be implemented to database fields via a filter feature that designates whether a particular value is included or excluded in a query. As a result of a broken access control, in impacted versions, workbook fields with the filter compression feature enabled are exposed in data visualizations if new values are added to the fields after they were originally filtered. Tableau has disabled the filter compression feature by default in Tableau Cloud and Server for the November Maintenance release. 

 

Security Issue With Tableau Row Level Access Controls

Salesforce strongly recommends that customers transition from RSA key exchanges to TLS 1.3 to enhance the security and efficiency of network communications. 

Transition from RSA Key Exchanges to TLS 1.3

User accounts without multi-factor authentication (MFA), IP restrictions, and/or that use weak credentials are at risk of being compromised by bad actors. See the Help article attached for an overview on how you can use customizable settings or implement Shield Event Monitoring to protect your user accounts. 

Take Action to Prevent Account Compromise 

Salesforce Security addressed a security issue impacting Tableau Cloud and Server workbooks in the August Maintenance release. We strongly encourage Tableau Server customers to apply the update associated with the major release, which can be downloaded from the Tableau Server Maintenance Release page.  Cloud customers do not need to take action as a patch was applied to Cloud instances on August 9, 2024. 

Security Issue Impacting Tableau Row Level Access Controls

Effective March 4, 2025 for Starter and ProSuite, March 5, 2025 for Service Enterprise Edition and Unlimited Edition, and March 20, 2025 for Sales Enterprise and Unlimited, the email functionality will be disabled for Trial Orgs provisioned through the Salesforce website during the standard 30 day evaluation period.

Email Functionality Restrictions for Trial Signups from Salesforce.com

Salesforce is aware of the media reports of the security vulnerabilities affecting Omnistudio, CVEs 2025-43698, 2025-43700, 2025-43701, 2025-43699 and 2025-43697, which impact the Flexcard and Data Mapper components of Omnistudio.

CVEs affecting Flexcard and Data Mapper components of Omnistudio

Salesforce is aware of recent media reports regarding a security issue involving the Aura Controller.  We take these matters seriously and conduct ongoing system scans to proactively identify and address potential vulnerabilities. Protecting our customers and their data is our top priority.

Based on currently available information, we have not identified any evidence of exploitation related to this issue. Salesforce has already implemented a fix, and no customer action is required at this time.

Customers with additional questions are encouraged to contact Salesforce Support.





Security Advisories