Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-43699

Summary
Assigner-Salesforce
Assigner Org ID-c9b25dee-ae6d-4083-ba23-638c500cc364
Published At-10 Jun, 2025 | 11:44
Updated At-18 Jun, 2025 | 13:31
Rejected At-
Credits

Client-Side Enforcement of Server-Side Security vulnerability in Salesforce OmniStudio (FlexCards) allows bypass of required permission check.  This impacts OmniStudio: before Spring 2025

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Salesforce
Assigner Org ID:c9b25dee-ae6d-4083-ba23-638c500cc364
Published At:10 Jun, 2025 | 11:44
Updated At:18 Jun, 2025 | 13:31
Rejected At:
▼CVE Numbering Authority (CNA)

Client-Side Enforcement of Server-Side Security vulnerability in Salesforce OmniStudio (FlexCards) allows bypass of required permission check.  This impacts OmniStudio: before Spring 2025

Affected Products
Vendor
Salesforce
Product
OmniStudio
Default Status
unaffected
Versions
Affected
  • From 0 before Spring 2025 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-602CWE-602: Client-Side Enforcement of Server-Side Security
Type: CWE
CWE ID: CWE-602
Description: CWE-602: Client-Side Enforcement of Server-Side Security
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-180CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
CAPEC ID: CAPEC-180
Description: CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://help.salesforce.com/s/articleView?id=004980323&type=1
N/A
Hyperlink: https://help.salesforce.com/s/articleView?id=004980323&type=1
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@salesforce.com
Published At:10 Jun, 2025 | 12:15
Updated At:18 Jun, 2025 | 14:15

Client-Side Enforcement of Server-Side Security vulnerability in Salesforce OmniStudio (FlexCards) allows bypass of required permission check.  This impacts OmniStudio: before Spring 2025

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-602Secondarysecurity@salesforce.com
CWE ID: CWE-602
Type: Secondary
Source: security@salesforce.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://help.salesforce.com/s/articleView?id=004980323&type=1security@salesforce.com
N/A
Hyperlink: https://help.salesforce.com/s/articleView?id=004980323&type=1
Source: security@salesforce.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

5Records found
CVE-2025-52455
Matching Score-8
Assigner-Salesforce, Inc.
ShareView Details
Matching Score-8
Assigner-Salesforce, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.00%
||
7 Day CHG~0.00%
Published-25 Jul, 2025 | 19:11
Updated-29 Jul, 2025 | 14:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Server-Side Request Forgery (SSRF) vulnerability in Salesforce Tableau Server on Windows, Linux (EPS Server modules) allows Resource Location Spoofing. This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19.

Action-Not Available
Vendor-Salesforce
Product-Tableau Server
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-52454
Matching Score-8
Assigner-Salesforce, Inc.
ShareView Details
Matching Score-8
Assigner-Salesforce, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.00%
||
7 Day CHG~0.00%
Published-25 Jul, 2025 | 19:08
Updated-29 Jul, 2025 | 14:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Server-Side Request Forgery (SSRF) vulnerability in Salesforce Tableau Server on Windows, Linux (Amazon S3 Connector modules) allows Resource Location Spoofing. This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19.

Action-Not Available
Vendor-Salesforce
Product-Tableau Server
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-54833
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
CVSS Score-6.9||MEDIUM
EPSS-0.04% / 8.79%
||
7 Day CHG~0.00%
Published-31 Jul, 2025 | 17:26
Updated-07 Aug, 2025 | 18:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OPEXUS FOIAXpress Public Access Link (PAL) account-lockout and CAPTCHA protection bypass

OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows attackers to bypass account-lockout and CAPTCHA protections. Unauthenticated remote attackers can more easily brute force passwords.

Action-Not Available
Vendor-OPEXUS
Product-FOIAXpress Public Access Link (PAL)
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CWE ID-CWE-602
Client-Side Enforcement of Server-Side Security
CVE-2024-32521
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.50% / 64.77%
||
7 Day CHG~0.00%
Published-17 May, 2024 | 08:56
Updated-02 Aug, 2024 | 02:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Zero Spam for WordPress plugin <= 5.5.6 - Bypass Spam Protection vulnerability

Client-Side Enforcement of Server-Side Security vulnerability in Highfivery LLC Zero Spam allows Removing Important Client Functionality.This issue affects Zero Spam: from n/a through 5.5.6.

Action-Not Available
Vendor-Highfivery LLChighfivery
Product-Zero Spamzero_spam_for_wordpress
CWE ID-CWE-602
Client-Side Enforcement of Server-Side Security
CVE-2024-32512
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.29% / 51.99%
||
7 Day CHG~0.00%
Published-17 May, 2024 | 08:56
Updated-02 Aug, 2024 | 02:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress weForms plugin <= 1.6.20 - Form Submission Restriction Bypass vulnerability

Client-Side Enforcement of Server-Side Security vulnerability in weForms allows Removing Important Client Functionality.This issue affects weForms: from n/a through 1.6.20.

Action-Not Available
Vendor-weForms (InMotion Hosting, Inc.)
Product-weFormsweforms
CWE ID-CWE-602
Client-Side Enforcement of Server-Side Security
Details not found