Lucene search

GitHub Advisory DatabaseGHSA-FGJJ-5JMR-GH83

HistoryOct 24, 2023 - 2:45 a.m.

Fides JavaScript Injection Vulnerability in Privacy Center URL

2023-10-2402:45:31

CWE-79

GitHub Advisory Database

github.com

fides web application

privacy notices

cookie consent banners

javascript execution

integrated website

admin ui users

contributor role

vulnerability patch

fides version 2.22.1

system security

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

23.6%

JSON

Impact

The Fides web application allows users to edit consent and privacy notices such as cookie banners. These privacy notices can then be served by other integrated websites, for example in cookie consent banners. One of the editable fields is a privacy policy URL and this input was found to not be validated.

The vulnerability makes it possible to craft a payload in the privacy policy URL which triggers JavaScript execution when the privacy notice is served by an integrated website. The domain scope of the executed JavaScript is that of the integrated website.

Exploitation is limited to Admin UI users with the contributor role or higher.

Patches

The vulnerability has been patched in Fides version 2.22.1. Users are advised to upgrade to this version or later to secure their systems against this threat.

Workarounds

There are no workarounds.

Affected configurations

Vulners

Node

ethycafidesRange<2.22.1

CPENameOperatorVersion
ethyca-fideslt2.22.1

CPE	Name	Operator	Version
	ethyca-fides	lt	2.22.1

References

github.com/advisories/GHSA-fgjj-5jmr-gh83

github.com/ethyca/fides/commit/3231d19699f9c895c986f6a967a64d882769c506

github.com/ethyca/fides/releases/tag/2.22.1

github.com/ethyca/fides/security/advisories/GHSA-fgjj-5jmr-gh83

nvd.nist.gov/vuln/detail/CVE-2023-46126