Workbench, a suite of tools for interacting with Salesforce.com, contains a reflected cross‑site scripting vulnerability in the footerScripts parameter. The input supplied via this parameter is inserted into the page response without proper neutralization, enabling an attacker to inject arbitrary JavaScript. Because the script runs within the user’s browser context, it can access session cookies or execute commands on behalf of the authenticated user, leading to session hijacking. The weakness is identified as CWE‑79 and is rated with a CVSS score of 5.1, indicating moderate severity.

The flaw exists in all Force Workbench releases prior to version 65.0.0. Administrators and developers using any earlier build should verify the exact version of the Workbench package they have deployed and compare it with the advisory to determine if the installation is impacted.

The vulnerability is exploitable in a typical web environment via a crafted URL or posted data that includes a malicious footerScripts value. Although EPSS data is not available and the issue is not listed in the CISA KEV catalog, the moderate CVSS score combined with the ability to target authenticated sessions suggests a non‑negligible risk, especially for organizations that expose the Workbench interface to users with privileged Salesforce accounts.