Loading

Omnistudio Issue 2025 - Datamapper and Flexcard

Publish Date: Jul 9, 2025
Description

AppOmni, a Salesforce research partner, recently discovered CVEs 2025-43698, 2025-43700, 2025-43701, 2025-43699 and 2025-43697, which impact the Flexcard and Data Mapper components of Omnistudio (for both Core and managed packages). 

 

Datamapper CVE: 

 

CVE-2025-43697: Improper Preservation of Permissions vulnerability in Salesforce OmniStudio’s DataMapper feature allows exposure of encrypted data. This impacts OmniStudio versions prior to Spring ‘25. CVSS 3.1 Scoring Link Base Score 7.5 (High) 

 

Flexcard CVEs:

 

CVE-2025-43698: Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows bypass of field-level security controls for Salesforce objects. This impacts OmniStudio versions prior to Spring ‘25. CVSS 3.1 Scoring Link Base Score: 7.5  (High)

 

CVE-2025-43699: Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows bypass of field-level security controls for OmniUICard objects. This impacts OmniStudio versions prior to Spring ‘25. CVSS 3.1 Scoring Link Base Score: 5.3 (Medium)

 

CVE-2025-43700: Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows exposure of encrypted data. This impacts OmniStudio versions prior to Spring ‘25. CVSS 3.1 Scoring Link Base Score: 7.5  (High)

 

CVE-2025-43701: Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows exposure of Custom Settings data. This impacts OmniStudio versions prior to Spring ‘25. CVSS 3.1 Scoring Link Base Score: 7.5  (High)

Resolution

Customers should:

  • Review the affected components (Flexcards and Data Mappers).

  • Verify that users experiencing data access issues have the required FLS and permissions.

  • Update user profiles or permission sets accordingly to restore expected data visibility.

Knowledge Article Number

004980323

 
Loading
Salesforce Help | Article