Security researcher Tobia Righi discovered a previously undocumented and exploitable SOQL injection vulnerability in Salesforce’s default CsvDataImportResourceFamilyController, affecting potentially millions of user records across Salesforce deployments. The vulnerability allows an attacker to exfiltrate document and user information using crafted queries, even bypassing significant SOQL limitations. Despite its severity, the issue was quietly patched without a CVE or public advisory.
Salesforce’s controller CsvDataImportResourceFamilyController directly embedded the user-supplied contentDocumentId parameter into an SOQL query without sanitization or parameterization, exposing the application to injection vectors.
Salesforce instances using default Aura framework and CsvDataImportResourceFamilyController.All versions prior to the unannounced patch (likely patched post-April 2025, but no public version tag provided).
Status: Quietly patched by Salesforce.The vulnerability is no longer exploitable as of June 2025.
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
This website uses the following additional cookies:
(List the cookies that you are using on the website here.)
More information about our Cookie Policy
