Unauthorized user can view the "Amount" field of Opportunity items on /apex/PMT_PaymentWizard

[schlossmj]

This is a security vulnerability reported via our external Bug Bounty Program. H1 Report #860021. If you feel you require access to H1 for additional details or to interact with the researcher in order to reproduce or remediate this bug, please contact bugbounty@salesforce.com.

Before closing bugs without a fix (not a bug, never, not reproducible) please @mention your prodsec contact to clarify the reason. If you are not sure about your prodsec contact, please @mention @[Product Security]

Feel free to check out the following documentation describing the meaning of the status of Bug Bounty bugs: https://salesforce.quip.com/kFqEA6HhuSDz

Vulnerability Details from Researcher

Register an org on https://www.salesforce.org/trial/npsp.

Steps to reproduce: Victim(admin)

1. Go to https://na174.salesforce.com/_ui/common/config/field/StandardFieldAttributes/d?id=Amount&type=Opportunity
2. Click the "Set Field-Level Security" button
3. Uncheck the Visible checkbox and save
4. Go to https://na85.salesforce.com/006/o and create a new opportunity
5. Complete the Amount field as you want and save. Let's suppose the id is 0066g00000A78LG
6. Attacker(custom permission set)

If the attacker goes to https://gs0.salesforce.com/0066g00000A78LG/e (Opportunity id), the "Amount" field must be hidden by the victim.

1. Go to https://npsp.na174.visual.force.com/apex/PMT_PaymentWizard?id=0066g00000A78LG&wtype=writeoff (Opportunity id)
2. You should be able to view the Amount field without any problem

Impact Privilege Escalation

[salesforce-org-metaci[bot]]

Included in beta release 3.195 (Beta 12)

[salesforce-org-metaci[bot]]

Included in production release 3.195