Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
EthycaFides

20 matches found

CVE
CVEadded 2024/11/26 6:52 p.m.2797 views

CVE-2024-52008

Fides (open-source privacy engineering platform) has a password policy bypass in its invite flow. The /api/v1/user/accept-invite endpoint does not enforce the server-side password policy, allowing an invited user to set an arbitrarily weak password during initial account setup despite UI client-s...

8.8CVSS6.5AI score0.00536EPSS
Web
CVE
CVEadded 2023/07/05 9:22 p.m.2498 views

CVE-2023-36827

CVE-2023-36827 (Fides) : A path traversal vulnerability affects Fides webserver in versions below 2.15.1, enabling remote attackers to access arbitrary files on the webserver container filesystem. The issue is fixed in 2.15.1. If the webserver API is behind a reverse proxy and the proxy is an AWS...

7.5CVSS7.6AI score0.0109EPSS
CVE
CVEadded 2023/09/06 5:54 p.m.2494 views

CVE-2023-41319

The CVE-2023-41319 vulnerability affects Fides versions 2.11.0–2.19.0, where the webserver API accepts ZIP uploads that may contain Python code executed in a sandbox that can be bypassed. An attacker with API access using the CONNECTOR_TEMPLATE_REGISTER scope (restricted in Admin UI to highly pri...

8.8CVSS8.1AI score0.00837EPSS
CVE
CVEadded 2024/07/02 7:50 p.m.103 views

CVE-2024-38537

Fides (Ethical) vulnerability CVE-2024-38537 affects the client-side script fides.js, which in a limited edge case used the polyfill.io domain to support legacy browsers (IE11) lacking fetch. If the polyfill.io domain was compromised, legacy-browser users could download and execute malicious scri...

9.8CVSS3.7AI score0.01427EPSS
CVE
CVEadded 2024/05/30 7:47 p.m.89 views

CVE-2024-35189

Fides vulnerability CVE-2024-35189 affects the BigQuery connection configuration secrets, where a bug in masking nested sensitive fields allowed plaintext exposure via API endpoints. Affected component: BigQuerySchema secrets structure containing keyfile_creds.private_key exposed in plaintext acr...

6.5CVSS6.4AI score0.00577EPSS
CVE
CVEadded 2023/10/24 10:42 p.m.87 views

CVE-2023-46125

CVE-2023-46125 affects the Fides open-source privacy platform. The vulnerability arises in the webserver API’s GET /api/v1/config endpoint, where configuration data is returned with sensitive internals and backend details (e.g., settings, server addresses/ports, database username) despite filteri...

6.5CVSS6.3AI score0.00722EPSS
CVE
CVEadded 2023/11/08 9:50 p.m.80 views

CVE-2023-47114

CVE-2023-47114 affects Fides HTML-formatted Data Subject Request packages. Root cause: lack of input validation for data from connected systems/data stores, enabling HTML injection when a data subject opens the downloaded package (typically HTML files in ZIP) in a browser via file://. Existence o...

6.1CVSS5.4AI score0.00609EPSS
CVE
CVEadded 2023/11/15 8:53 p.m.80 views

CVE-2023-48224

CVE-2023-48224 affects Fides (Privacy Center) where one-time verification codes are generated using Python’s weak random module. The root cause is a cryptographically weak pseudo-random number generator, allowing an attacker who observes several hundred codes to predict future codes within the ba...

9.1CVSS8.8AI score0.00992EPSS
CVE
CVEadded 2023/10/24 10:51 p.m.75 views

CVE-2023-46124

CVE-2023-46124 affects the Fides web application. Specially crafted YAML dataset/configs uploaded as a ZIP can trigger Server-Side Request Forgery, allowing a malicious user to issue arbitrary requests to internal resources (including localhost) and exfiltrate data. The root cause is inadequate v...

8.2CVSS7.5AI score0.00675EPSS
CVE
CVEadded 2023/10/24 9:59 p.m.69 views

CVE-2023-46126

CVE-2023-46126 affects Fides: a JavaScript injection risk in the privacy policy URL editable by Admin UI users with contributor+ permissions. The flaw allows crafting a payload in the privacy policy URL that executes JavaScript when the privacy notice is served by an integrated website; the execu...

5.4CVSS4.8AI score0.00607EPSS
CVE
CVEadded 2023/07/18 6:19 p.m.62 views

CVE-2023-37480

CVE-2023-37480 affects the Fides webserver, specifically the connector template upload feature. A zip-bomb upload can exhaust resources and cause service unavailability for all users. Impact is limited to users with elevated privileges (CONNECTOR_TEMPLATE_REGISTER scope, including root and owner ...

4.9CVSS4.7AI score0.00568EPSS
CVE
CVEadded 2024/05/29 4:35 p.m.62 views

CVE-2024-34715

CVE-2024-34715 affects the Fides webserver, where an improper escaping of the SQLAlchemy password string can cause the database password to be partially exposed in webserver logs when the password contains characters like @ or $. This is due to insufficient escaping of the password in the connect...

3.3CVSS3.4AI score0.00275EPSS
CVE
CVEadded 2024/07/03 5:34 p.m.59 views

CVE-2024-31223

Fides Privacy Center vulnerability CVE-2024-31223: Versions 2.19.0 through before 2.39.2rc0 expose SERVER_SIDE_FIDES_API_URL to unauthenticated HTTP GET requests, leaking private server configuration (IP addresses, ports, private domains). Root cause: server-side environment variable disclosure t...

5.3CVSS5.1AI score0.01114EPSS
CVE
CVEadded 2024/09/04 3:43 p.m.54 views

CVE-2024-45052

Affected software : Fides Webserver authentication (part of the Fides platform). Vulnerability : timing-based username enumeration where an unauthenticated attacker can deduce valid usernames by measuring login response times. Root cause / mechanics : observable timing discrepancy between respons...

5.3CVSS5.3AI score0.00552EPSS
CVE
CVEadded 2024/09/04 4:4 p.m.51 views

CVE-2024-45053

Fides (open‑source privacy engineering platform) is affected by a Server‑Side Template Injection in the Email Templating feature using Jinja2, allowing Remote Code Execution by privileged Admin UI users. Cloaked between versions 2.19.0 and before 2.44.0, the issue arises from insufficient input s...

9.1CVSS8.8AI score0.01342EPSS
CVE
CVEadded 2023/07/18 6:19 p.m.44 views

CVE-2023-37481

The CVE-2023-37481 entry concerns the Fides webserver. A DoS can be triggered by uploading a zip containing malicious SVG bombs (billion‑laugh style) via the admin UI, exhausting resources on the new connector page. Affected versions are 2.11.0–2.15.1; exploitation is limited to users with elevat...

4.9CVSS4.4AI score0.00579EPSS
Web
CVE
CVEadded 2025/09/08 9:11 p.m.22 views

CVE-2025-57815

CVE-2025-57815 (Fides) describes a lack of anti-automation protections on the Admin UI login endpoint prior to version 2.69.1, enabling brute-force style credential testing (credential stuffing/password spraying) against accounts with weak or compromised passwords. Affected product: Fides (Open S...

6.5CVSS6.6AI score0.00277EPSS
CVE
CVEadded 2025/09/08 9:14 p.m.22 views

CVE-2025-57816

CVE-2025-57816 concerns the Fides Webserver API rate limiting. The issue arises in deployments that rely on the built‑in IP‑based rate limiter in proxied environments (CDNs, proxies, load balancers): limits are applied to the immediate connection IP rather than the client IP, and counters are sto...

7.5CVSS6.3AI score0.00406EPSS
CVE
CVEadded 2025/09/08 9:17 p.m.22 views

CVE-2025-57817

The CVE describes a privilege-escalation flaw in Fides: before version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment, allowing users with client:create or client:update permissions to elevate to owner-level. Affected c...

8.6CVSS6.6AI score0.00392EPSS
CVE
CVEadded 2025/09/08 9:12 p.m.18 views

CVE-2025-57766

CVE-2025-57766 affects the Fides open-source privacy engineering platform. Prior to version 2.69.1, when an admin UI password is changed, existing active sessions are not invalidated, allowing an attacker who has obtained a valid session token (for example via XSS or other vector) to maintain acc...

6.3CVSS6.4AI score0.00275EPSS