PT-2026-41138

Summary fides.js is the script that renders Fides's consent banner on customer websites. It lets the embedding page override the banner's description text at runtime via a URL query parameter, a JavaScript global, or a cookie. On sites that have opted into HTML-formatted descriptions, the...

Improper Enforcement of Behavioral Workflow

Overview ethyca-fides is an Open-source ecosystem for data privacy as code. Affected versions of this package are vulnerable to Improper Enforcement of Behavioral Workflow in the privacy request approval process when both subjectidentityverificationrequired and...

Improper Session Invalidation

ethycafides is vulnerable to improper session invalidation. The vulnerability is due to active user sessions not being invalidated after an admin UI password change, which allows an attacker with previously obtained session tokens to maintain unauthorized access even after a password reset...

Improper Authorization

ethycafides is vulnerable to improper authorization. The vulnerability is due to insufficient scope validation in the OAuth client creation and update endpoints, which allows an attacker or a highly privileged user to escalate privileges to owner-level...

Improper Control of Interaction Frequency

Overview ethyca-fides is an Open-source ecosystem for data privacy as code. Affected versions of this package are vulnerable to Improper Control of Interaction Frequency due to inefficient built-in IP-based rate limiting in environments with CDNs, proxies or load balancers. An attacker can...

Brute Force

Overview ethyca-fides is an Open-source ecosystem for data privacy as code. Affected versions of this package are vulnerable to Brute Force via insufficient protections on the authentication process. An attacker can gain unauthorized access to user accounts by performing automated credential...

Insufficient Session Expiration

Overview ethyca-fides is an Open-source ecosystem for data privacy as code. Affected versions of this package are vulnerable to Insufficient Session Expiration due to the insufficient session management. The authentication system validates tokens based on their cryptographic integrity and...

Client-Side Enforcement of Server-Side Security

Overview ethyca-fides is an Open-source ecosystem for data privacy as code. Affected versions of this package are vulnerable to Client-Side Enforcement of Server-Side Security due to improper implementation of password policy validations in the /api/v1/user/accept-invite endpoint. An attacker can...

dcicsnovault (>=2.0.0b4 <=2.0.0b7), ethyca-fides (>=2.10.0 <=2.19.0rc8) +2 more potentially affected by CVE-2024-51734 via accesscontrol (>=4.4.0 <=6.0.0)

accesscontrol PYPI version =4.4.0, =2.0.0b4, =2.10.0, =4.6.3, =4.8.11 Source cves: CVE-2024-51734 Source advisory: OSV:GHSA-G5VW-3H65-2Q3V...

Server-side Template Injection (SSTI)

ethycafides is vulnerable to Server-Side Template Injection SSTI. The vulnerability is due to improper input sanitization and lack of rendering environment restrictions in the Jinja2 templating engine used in the Email Templating feature of Fides, which allows privileged users to execute remote...

Username Enumeration Attack

ethycafides is vulnerable to Username Enumeration Attack. The vulnerability is due to discrepancies in response times between valid and invalid usernames, which allow attackers to infer valid usernames based on the timing of server responses...

Ethyca Fides 安全漏洞

Ethyca Fides is an open source privacy engineering platform from Ethyca, Inc. for managing the implementation of data privacy requests in the runtime environment and the enforcement of privacy regulations in code. A security vulnerability exists in Ethyca Fides versions prior to 2.44.0. An attack...

Ethyca Fides 安全漏洞

Ethyca Fides is an open source privacy engineering platform from Ethyca, Inc. for managing the implementation of data privacy requests in the runtime environment and the enforcement of privacy regulations in code. A security vulnerability exists in Ethyca Fides version 2.19.0 through versions pri...

Fides Security Vulnerabilities

Ethyca Fides is an open source privacy engineering platform from Ethyca that manages the implementation of data privacy requests in the runtime environment and the enforcement of privacy regulations in code. A security vulnerability exists in Fides versions prior to 2.39.2rc0, which stems from a...

Partial Password Leakage

ethyca-fides is vulnerable to Partial Password Leakage. The vulnerability is due to improper sanitization/redaction of the SQLAlchemy password string in error logs, which partially exposes the database password when special characters are used inside the password...

HTML Injection

ethyca-fides is vulnerable to HTML Injection. The vulnerability arises due lack of of input validation coming from connected systems and data stores which is reflected in the downloaded data. This results in an HTML injection that can be abused to perform phishing attacks or malicious JS executio...

CVE-2023-47114 Ethyca Fides HTML Injection Vulnerability in HTML-Formatted DSR Packages

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in your runtime environment, and the enforcement of privacy regulations in your code. The Fides web application allows data subject users to request access to their personal data. If the...

CVE-2023-47114 Ethyca Fides HTML Injection Vulnerability in HTML-Formatted DSR Packages

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in your runtime environment, and the enforcement of privacy regulations in your code. The Fides web application allows data subject users to request access to their personal data. If the...

Cross-site Scripting (XSS)

ethyca-fides is vulnerable to Cross-site Scripting XSS. The vulnerability is due to a lack of proper validation in the privacyexperience.py , which results in inadequate verification of privacy policy URLs. This flaw allows an attacker to create a malicious payload in the privacy policy URL. When...

Information Disclosure

ethyca-fides is vulnerable to Information Disclosure. The vulnerability is due roles.py as it grants the CONFIGREAD scope to roles other than the owner, specifically the VIEWER and VIEWERANDAPPROVER roles. This allows Admin UI users with roles lower than the owner role to retrieve sensitive confi...