Lucene search
K

14 matches found

CVE
CVE
added 2024/11/26 6:52 p.m.2797 views

CVE-2024-52008

Fides (open-source privacy engineering platform) has a password policy bypass in its invite flow. The /api/v1/user/accept-invite endpoint does not enforce the server-side password policy, allowing an invited user to set an arbitrarily weak password during initial account setup despite UI client-s...

8.8CVSS6.5AI score0.00536EPSS
Web
CVE
CVE
added 2023/07/05 9:22 p.m.2502 views

CVE-2023-36827

CVE-2023-36827 (Fides) : A path traversal vulnerability affects Fides webserver in versions below 2.15.1, enabling remote attackers to access arbitrary files on the webserver container filesystem. The issue is fixed in 2.15.1. If the webserver API is behind a reverse proxy and the proxy is an AWS...

7.5CVSS7.6AI score0.01491EPSS
CVE
CVE
added 2024/07/02 7:50 p.m.106 views

CVE-2024-38537

Fides (Ethical) vulnerability CVE-2024-38537 affects the client-side script fides.js, which in a limited edge case used the polyfill.io domain to support legacy browsers (IE11) lacking fetch. If the polyfill.io domain was compromised, legacy-browser users could download and execute malicious scri...

9.8CVSS3.7AI score0.01427EPSS
CVE
CVE
added 2024/05/30 7:47 p.m.93 views

CVE-2024-35189

Fides vulnerability CVE-2024-35189 affects the BigQuery connection configuration secrets, where a bug in masking nested sensitive fields allowed plaintext exposure via API endpoints. Affected component: BigQuerySchema secrets structure containing keyfile_creds.private_key exposed in plaintext acr...

6.5CVSS6.4AI score0.00577EPSS
CVE
CVE
added 2023/10/24 10:42 p.m.90 views

CVE-2023-46125

CVE-2023-46125 affects the Fides open-source privacy platform. The vulnerability arises in the webserver API’s GET /api/v1/config endpoint, where configuration data is returned with sensitive internals and backend details (e.g., settings, server addresses/ports, database username) despite filteri...

6.5CVSS6.3AI score0.00722EPSS
CVE
CVE
added 2023/11/15 8:53 p.m.82 views

CVE-2023-48224

CVE-2023-48224 affects Fides (Privacy Center) where one-time verification codes are generated using Python’s weak random module. The root cause is a cryptographically weak pseudo-random number generator, allowing an attacker who observes several hundred codes to predict future codes within the ba...

9.1CVSS8.8AI score0.00992EPSS
CVE
CVE
added 2023/10/24 10:51 p.m.77 views

CVE-2023-46124

CVE-2023-46124 affects the Fides web application. Specially crafted YAML dataset/configs uploaded as a ZIP can trigger Server-Side Request Forgery, allowing a malicious user to issue arbitrary requests to internal resources (including localhost) and exfiltrate data. The root cause is inadequate v...

8.2CVSS7.5AI score0.00675EPSS
CVE
CVE
added 2023/10/24 9:59 p.m.72 views

CVE-2023-46126

CVE-2023-46126 affects Fides: a JavaScript injection risk in the privacy policy URL editable by Admin UI users with contributor+ permissions. The flaw allows crafting a payload in the privacy policy URL that executes JavaScript when the privacy notice is served by an integrated website; the execu...

5.4CVSS4.8AI score0.00607EPSS
CVE
CVE
added 2024/05/29 4:35 p.m.64 views

CVE-2024-34715

CVE-2024-34715 affects the Fides webserver, where an improper escaping of the SQLAlchemy password string can cause the database password to be partially exposed in webserver logs when the password contains characters like @ or $. This is due to insufficient escaping of the password in the connect...

3.3CVSS3.4AI score0.00275EPSS
CVE
CVE
added 2024/09/04 3:43 p.m.57 views

CVE-2024-45052

Affected software : Fides Webserver authentication (part of the Fides platform). Vulnerability : timing-based username enumeration where an unauthenticated attacker can deduce valid usernames by measuring login response times. Root cause / mechanics : observable timing discrepancy between respons...

5.3CVSS5.3AI score0.00552EPSS
CVE
CVE
added 2025/09/08 9:17 p.m.30 views

CVE-2025-57817

The CVE describes a privilege-escalation flaw in Fides: before version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment, allowing users with client:create or client:update permissions to elevate to owner-level. Affected c...

8.6CVSS6.6AI score0.00392EPSS
CVE
CVE
added 2025/09/08 9:11 p.m.28 views

CVE-2025-57815

CVE-2025-57815 (Fides) describes a lack of anti-automation protections on the Admin UI login endpoint prior to version 2.69.1, enabling brute-force style credential testing (credential stuffing/password spraying) against accounts with weak or compromised passwords. Affected product: Fides (Open S...

6.5CVSS6.6AI score0.00277EPSS
CVE
CVE
added 2025/09/08 9:14 p.m.27 views

CVE-2025-57816

CVE-2025-57816 concerns the Fides Webserver API rate limiting. The issue arises in deployments that rely on the built‑in IP‑based rate limiter in proxied environments (CDNs, proxies, load balancers): limits are applied to the immediate connection IP rather than the client IP, and counters are sto...

7.5CVSS6.3AI score0.00406EPSS
CVE
CVE
added 2025/09/08 9:12 p.m.20 views

CVE-2025-57766

CVE-2025-57766 affects the Fides open-source privacy engineering platform. Prior to version 2.69.1, when an admin UI password is changed, existing active sessions are not invalidated, allowing an attacker who has obtained a valid session token (for example via XSS or other vector) to maintain acc...

6.3CVSS6.4AI score0.00275EPSS