Cross-Site Request Forgery (CSRF)
| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-352: Cross-Site Request Forgery (CSRF) |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | High |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
Performing database operations (like insert, update, upsert, or delete) in Apex class constructors or static initializers can cause unintended changes to data just by loading a page, without any explicit user action. Only database queries are safe in these contexts.
Impact#
Attackers could exploit this to trigger unauthorized data changes simply by accessing or causing others to access specific pages, leading to data corruption, privilege escalation, or loss of data integrity. This weakens access control and could compromise sensitive business operations within Salesforce.