SYM_GEN_0038 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Cross-Site Request Forgery (CSRF)
| Property | Value |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-352: Cross-Site Request Forgery (CSRF) |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | High |
| Impact Level | High |
| Likelihood Level | Medium |
Description
Performing database operations (like insert, update, upsert, or delete) in Apex class constructors or static initializers can cause unintended changes to data just by loading a page, without any explicit user action. Only database queries are safe in these contexts.
Impact
Attackers could exploit this to trigger unauthorized data changes simply by accessing or causing others to access specific pages, leading to data corruption, privilege escalation, or loss of data integrity. This weakens access control and could compromise sensitive business operations within Salesforce.