Improper Control of Generation of Code ('Code Injection') vulnerability in Salesforce Uni2TS on MacOS, Windows, Linux allows Leverage Executable Code in Non-Executable Files.This issue affects Uni2TS: through 1.2.0.
The vulnerability results from improper code generation control (CWE-94) in Salesforce Uni2TS. An attacker can supply specially crafted input data, which is then interpreted and executed as code. The 'Leverage Executable Code in Non-Executable Files' mechanism allows embedding executable code in files that should not normally be treated as executable code, leading to its execution by the vulnerable application.
An attacker can gain full control over the system — achieve confidentiality, integrity, and availability at a critical level. Remote execution of arbitrary code (RCE) is possible on systems running Uni2TS.
Apply patches available from the vendor according to references (https://help.salesforce.com/s/articleView?id=005239354&type=1). Until updating, it is recommended to restrict network access to systems with Uni2TS installed and monitor activity for unauthorized code execution.
Salesforce Uni2TS in all versions up to and including 1.2.0, running on MacOS, Windows, and Linux systems.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSalesforce Uni2ts
APPSalesforce< 2.0.0
Related vulnerabilities
Zahardkodowany klucz kryptograficzny w Salesforce Marketing Cloud Engagement
Argument Injection w Salesforce Marketing Cloud Engagement (MicrositeUrl)
Argument Injection w Salesforce Marketing Cloud Engagement (CloudPagesUrl)
Salesforce Marketing Cloud Engagement — słaby algorytm kryptograficzny (RCE-class)
MuleSoft is aware of a Server Side Request Forgery vulnerability affecting certain versions of a Mule runtime ...