This is a security vulnerability reported via our external Bug Bounty Program. H1 Report #860021. If you feel you require access to H1 for additional details or to interact with the researcher in order to reproduce or remediate this bug, please contact bugbounty@salesforce.com.
Before closing bugs without a fix (not a bug, never, not reproducible) please @mention your prodsec contact to clarify the reason. If you are not sure about your prodsec contact, please @mention @[Product Security]
This is a security vulnerability reported via our external Bug Bounty Program. H1 Report #860021. If you feel you require access to H1 for additional details or to interact with the researcher in order to reproduce or remediate this bug, please contact bugbounty@salesforce.com.
Before closing bugs without a fix (not a bug, never, not reproducible) please @mention your prodsec contact to clarify the reason. If you are not sure about your prodsec contact, please @mention @[Product Security]
Feel free to check out the following documentation describing the meaning of the status of Bug Bounty bugs: https://salesforce.quip.com/kFqEA6HhuSDz
Vulnerability Details from Researcher
Register an org on https://www.salesforce.org/trial/npsp.
Steps to reproduce: Victim(admin)
If the attacker goes to https://gs0.salesforce.com/0066g00000A78LG/e (Opportunity id), the "Amount" field must be hidden by the victim.
Impact Privilege Escalation